Home > Developer > Linux

OpenResty (nginx extension) to prevent cc attacks

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

OpenResty (nginx extension) to prevent cc attacks

OpenResty (nginx extension) to prevent cc attacksGuideOpenResty integrates a variety of well-designed Nginx modules (mainly developed by the OpenResty Team) to effectively turn Nginx into a powerful universal Web application platform. In this way, Web developers and System Engineers can use the Lua script language to mobilize various C and Lua modules supported by Nginx, quickly construct a high-performance Web application system capable of concurrent connections between 10 K and 1000 KFlowchart

This article describes how to use openresty to prevent cc attacks. Openresty official website http://openresty.org/cn/index.html. The following is a flowchart of anti-cc attack.
According to the flowchart, we know that anti-cc attack mainly includes two parts: one is to limit the request speed, and the other is to send the js jump code to the user to verify whether the request is legal.

Install dependency

RHEL/Centos:

yum install readline-devel pcre-devel openssl-devel

Ubuntu:

apt-get install libreadline-dev libncurses5-dev libpcre3-dev libssl-dev perl
Luajit Installation
    cd /tmp/    git clone http://luajit.org/git/luajit-2.0.git    cd luajit-2.0/    make && make install    ln -sf luajit-2.0.0-beta10 /usr/local/bin/luajit    ln -sf /usr/local/lib/libluajit-5.1.so.2 /usr/lib/
Openresty Installation
    cd /tmp    wget http://agentzh.org/misc/nginx/ngx_openresty-1.2.4.13.tar.gz    tar xzf ngx_openresty-1.2.4.13.tar.gz    cd ngx_openresty-1.2.4.13/    ./configure --prefix=/usr/local/openresty --with-luajit    make && make install
Nginx Configuration

Nginx. conf:

    http{    [......]    lua_shared_dict limit 10m;    lua_shared_dict jsjump 10m;             server {    #lua_code_cache off;            listen       80;            server_name  www.centos.bz;                 location / {    default_type  text/html;    content_by_lua_file "/usr/local/openresty/nginx/conf/lua";            }            location @cc {                internal;                root   html;                index  index.html index.htm;            }        }    }

/Usr/local/openresty/nginx/conf/lua file:

    local ip = ngx.var.binary_remote_addr    local limit = ngx.shared.limit    local req,_=limit:get(ip)    if req then            if req > 20 then                    ngx.exit(503)            else                    limit:incr(ip,1)            end    else            limit:set(ip,1,10)    end         local jsjump = ngx.shared.jsjump    local uri = ngx.var.request_uri    local jspara,flags=jsjump:get(ip)    local args = ngx.req.get_uri_args()    if jspara then        if flags then            ngx.exec("@cc")        else                    local p_jskey=''                    if args["jskey"] and type(args["jskey"])=='table' then                             p_jskey=args["jskey"][table.getn(args["jskey"])]                    else                             p_jskey=args["jskey"]                    end            if p_jskey and p_jskey==tostring(jspara) then                            jsjump:set(ip,jspara,3600,1)                            ngx.exec("@cc")            else                            local url=''                            if ngx.var.args then                                   url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..jspara                            else                                   url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..jspara                            end                            local jscode="window.location.href='"..url.."';"                            ngx.say(jscode)            end        end    else    math.randomseed( os.time() );        local random=math.random(100000,999999)        jsjump:set(ip,random,60)        local url=''        if ngx.var.args then            url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..random        else            url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..random        end        local jscode="window.location.href='"..url.."';"        ngx.say(jscode)    end

Lua Code Description:
1. lines 1-12 are implemented by the speed limit function. Lines 5th and 10th indicate that up to 20 requests can be requested within 10 seconds.
2. Lines 14-48 are the verification part. 3600 in the 24 rows indicates that after the verification is passed, the whitelist time is 3600 seconds, that is, 1 hour.

Update: 2013.5.26
1. Fixed the JS unlimited jump bug.
2. Add random Seeds

Address: https://www.centos.bz/2012/12/openresty-nginx-block-cc-attack-deploy/

Address: http://www.linuxprobe.com/linux-openresty.html ghost


GuideOpenResty integrates a variety of well-designed Nginx modules (mainly developed by the OpenResty Team) to effectively turn Nginx into a powerful universal Web application platform. In this way, Web developers and System Engineers can use the Lua script language to mobilize various C and Lua modules supported by Nginx, quickly construct a high-performance Web application system capable of concurrent connections between 10 K and 1000 KFlowchart

This article describes how to use openresty to prevent cc attacks. Openresty official website http://openresty.org/cn/index.html. The following is a flowchart of anti-cc attack.
According to the flowchart, we know that anti-cc attack mainly includes two parts: one is to limit the request speed, and the other is to send the js jump code to the user to verify whether the request is legal.

Install dependency

RHEL/Centos:

yum install readline-devel pcre-devel openssl-devel

Ubuntu:

apt-get install libreadline-dev libncurses5-dev libpcre3-dev libssl-dev perl
Luajit Installation
    cd /tmp/    git clone http://luajit.org/git/luajit-2.0.git    cd luajit-2.0/    make && make install    ln -sf luajit-2.0.0-beta10 /usr/local/bin/luajit    ln -sf /usr/local/lib/libluajit-5.1.so.2 /usr/lib/
Openresty Installation
    cd /tmp    wget http://agentzh.org/misc/nginx/ngx_openresty-1.2.4.13.tar.gz    tar xzf ngx_openresty-1.2.4.13.tar.gz    cd ngx_openresty-1.2.4.13/    ./configure --prefix=/usr/local/openresty --with-luajit    make && make install
Nginx Configuration

Nginx. conf:

    http{    [......]    lua_shared_dict limit 10m;    lua_shared_dict jsjump 10m;             server {    #lua_code_cache off;            listen       80;            server_name  www.centos.bz;                 location / {    default_type  text/html;    content_by_lua_file "/usr/local/openresty/nginx/conf/lua";            }            location @cc {                internal;                root   html;                index  index.html index.htm;            }        }    }

/Usr/local/openresty/nginx/conf/lua file:

    local ip = ngx.var.binary_remote_addr    local limit = ngx.shared.limit    local req,_=limit:get(ip)    if req then            if req > 20 then                    ngx.exit(503)            else                    limit:incr(ip,1)            end    else            limit:set(ip,1,10)    end         local jsjump = ngx.shared.jsjump    local uri = ngx.var.request_uri    local jspara,flags=jsjump:get(ip)    local args = ngx.req.get_uri_args()    if jspara then        if flags then            ngx.exec("@cc")        else                    local p_jskey=''                    if args["jskey"] and type(args["jskey"])=='table' then                             p_jskey=args["jskey"][table.getn(args["jskey"])]                    else                             p_jskey=args["jskey"]                    end            if p_jskey and p_jskey==tostring(jspara) then                            jsjump:set(ip,jspara,3600,1)                            ngx.exec("@cc")            else                            local url=''                            if ngx.var.args then                                   url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..jspara                            else                                   url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..jspara                            end                            local jscode="window.location.href='"..url.."';"                            ngx.say(jscode)            end        end    else    math.randomseed( os.time() );        local random=math.random(100000,999999)        jsjump:set(ip,random,60)        local url=''        if ngx.var.args then            url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..random        else            url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..random        end        local jscode="window.location.href='"..url.."';"        ngx.say(jscode)    end

Lua Code Description:
1. lines 1-12 are implemented by the speed limit function. Lines 5th and 10th indicate that up to 20 requests can be requested within 10 seconds.
2. Lines 14-48 are the verification part. 3600 in the 24 rows indicates that after the verification is passed, the whitelist time is 3600 seconds, that is, 1 hour.

Update: 2013.5.26
1. Fixed the JS unlimited jump bug.
2. Add random Seeds

Address: https://www.centos.bz/2012/12/openresty-nginx-block-cc-attack-deploy/

Reprinted address: http://www.linuxprobe.com/linux-openresty.html ghost


This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to prevent phishing attacks how to prevent ransomware attacks how to prevent dns attacks how to prevent xss attacks how to prevent ddos attacks on pc how to prevent ddos attacks on websites how to prevent dos and ddos attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More