OpenResty (nginx extension) to prevent cc attacks
OpenResty (nginx extension) to prevent cc attacksGuideOpenResty integrates a variety of well-designed Nginx modules (mainly developed by the OpenResty Team) to effectively turn Nginx into a powerful universal Web application platform. In this way, Web developers and System Engineers can use the Lua script language to mobilize various C and Lua modules supported by Nginx, quickly construct a high-performance Web application system capable of concurrent connections between 10 K and 1000 KFlowchart
This article describes how to use openresty to prevent cc attacks. Openresty official website http://openresty.org/cn/index.html. The following is a flowchart of anti-cc attack.
According to the flowchart, we know that anti-cc attack mainly includes two parts: one is to limit the request speed, and the other is to send the js jump code to the user to verify whether the request is legal.
Install dependencyRHEL/Centos:
yum install readline-devel pcre-devel openssl-devel
Ubuntu:
apt-get install libreadline-dev libncurses5-dev libpcre3-dev libssl-dev perl
Luajit Installation cd /tmp/ git clone http://luajit.org/git/luajit-2.0.git cd luajit-2.0/ make && make install ln -sf luajit-2.0.0-beta10 /usr/local/bin/luajit ln -sf /usr/local/lib/libluajit-5.1.so.2 /usr/lib/
Openresty Installation cd /tmp wget http://agentzh.org/misc/nginx/ngx_openresty-1.2.4.13.tar.gz tar xzf ngx_openresty-1.2.4.13.tar.gz cd ngx_openresty-1.2.4.13/ ./configure --prefix=/usr/local/openresty --with-luajit make && make install
Nginx ConfigurationNginx. conf:
http{ [......] lua_shared_dict limit 10m; lua_shared_dict jsjump 10m; server { #lua_code_cache off; listen 80; server_name www.centos.bz; location / { default_type text/html; content_by_lua_file "/usr/local/openresty/nginx/conf/lua"; } location @cc { internal; root html; index index.html index.htm; } } }
/Usr/local/openresty/nginx/conf/lua file:
local ip = ngx.var.binary_remote_addr local limit = ngx.shared.limit local req,_=limit:get(ip) if req then if req > 20 then ngx.exit(503) else limit:incr(ip,1) end else limit:set(ip,1,10) end local jsjump = ngx.shared.jsjump local uri = ngx.var.request_uri local jspara,flags=jsjump:get(ip) local args = ngx.req.get_uri_args() if jspara then if flags then ngx.exec("@cc") else local p_jskey='' if args["jskey"] and type(args["jskey"])=='table' then p_jskey=args["jskey"][table.getn(args["jskey"])] else p_jskey=args["jskey"] end if p_jskey and p_jskey==tostring(jspara) then jsjump:set(ip,jspara,3600,1) ngx.exec("@cc") else local url='' if ngx.var.args then url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..jspara else url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..jspara end local jscode="window.location.href='"..url.."';" ngx.say(jscode) end end else math.randomseed( os.time() ); local random=math.random(100000,999999) jsjump:set(ip,random,60) local url='' if ngx.var.args then url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..random else url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..random end local jscode="window.location.href='"..url.."';" ngx.say(jscode) end
Lua Code Description:
1. lines 1-12 are implemented by the speed limit function. Lines 5th and 10th indicate that up to 20 requests can be requested within 10 seconds.
2. Lines 14-48 are the verification part. 3600 in the 24 rows indicates that after the verification is passed, the whitelist time is 3600 seconds, that is, 1 hour.
Update: 2013.5.26
1. Fixed the JS unlimited jump bug.
2. Add random Seeds
Address: https://www.centos.bz/2012/12/openresty-nginx-block-cc-attack-deploy/
Address: http://www.linuxprobe.com/linux-openresty.html ghost
GuideOpenResty integrates a variety of well-designed Nginx modules (mainly developed by the OpenResty Team) to effectively turn Nginx into a powerful universal Web application platform. In this way, Web developers and System Engineers can use the Lua script language to mobilize various C and Lua modules supported by Nginx, quickly construct a high-performance Web application system capable of concurrent connections between 10 K and 1000 KFlowchartThis article describes how to use openresty to prevent cc attacks. Openresty official website http://openresty.org/cn/index.html. The following is a flowchart of anti-cc attack.
According to the flowchart, we know that anti-cc attack mainly includes two parts: one is to limit the request speed, and the other is to send the js jump code to the user to verify whether the request is legal.
Install dependencyRHEL/Centos:
yum install readline-devel pcre-devel openssl-devel
Ubuntu:
apt-get install libreadline-dev libncurses5-dev libpcre3-dev libssl-dev perl
Luajit Installation cd /tmp/ git clone http://luajit.org/git/luajit-2.0.git cd luajit-2.0/ make && make install ln -sf luajit-2.0.0-beta10 /usr/local/bin/luajit ln -sf /usr/local/lib/libluajit-5.1.so.2 /usr/lib/
Openresty Installation cd /tmp wget http://agentzh.org/misc/nginx/ngx_openresty-1.2.4.13.tar.gz tar xzf ngx_openresty-1.2.4.13.tar.gz cd ngx_openresty-1.2.4.13/ ./configure --prefix=/usr/local/openresty --with-luajit make && make install
Nginx ConfigurationNginx. conf:
http{ [......] lua_shared_dict limit 10m; lua_shared_dict jsjump 10m; server { #lua_code_cache off; listen 80; server_name www.centos.bz; location / { default_type text/html; content_by_lua_file "/usr/local/openresty/nginx/conf/lua"; } location @cc { internal; root html; index index.html index.htm; } } }
/Usr/local/openresty/nginx/conf/lua file:
local ip = ngx.var.binary_remote_addr local limit = ngx.shared.limit local req,_=limit:get(ip) if req then if req > 20 then ngx.exit(503) else limit:incr(ip,1) end else limit:set(ip,1,10) end local jsjump = ngx.shared.jsjump local uri = ngx.var.request_uri local jspara,flags=jsjump:get(ip) local args = ngx.req.get_uri_args() if jspara then if flags then ngx.exec("@cc") else local p_jskey='' if args["jskey"] and type(args["jskey"])=='table' then p_jskey=args["jskey"][table.getn(args["jskey"])] else p_jskey=args["jskey"] end if p_jskey and p_jskey==tostring(jspara) then jsjump:set(ip,jspara,3600,1) ngx.exec("@cc") else local url='' if ngx.var.args then url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..jspara else url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..jspara end local jscode="window.location.href='"..url.."';" ngx.say(jscode) end end else math.randomseed( os.time() ); local random=math.random(100000,999999) jsjump:set(ip,random,60) local url='' if ngx.var.args then url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..random else url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..random end local jscode="window.location.href='"..url.."';" ngx.say(jscode) end
Lua Code Description:
1. lines 1-12 are implemented by the speed limit function. Lines 5th and 10th indicate that up to 20 requests can be requested within 10 seconds.
2. Lines 14-48 are the verification part. 3600 in the 24 rows indicates that after the verification is passed, the whitelist time is 3600 seconds, that is, 1 hour.
Update: 2013.5.26
1. Fixed the JS unlimited jump bug.
2. Add random Seeds
Address: https://www.centos.bz/2012/12/openresty-nginx-block-cc-attack-deploy/
Reprinted address: http://www.linuxprobe.com/linux-openresty.html ghost