I haven't written an article for a long time. The previous company had a lot of attacks and things, so I had no idea how to write anything. Today, I will write some configuration for using Nginx to defend against CC attacks.
To put it off, GoogleReader is about to close. I don't know what kind of alternatives have been found. I have looked for a few. foreign support for Chinese seems to be not very good, later, I decided to try fresh fruit first, and now I feel good.
CC attacks target the memory and CPU resources on the server. Therefore, you usually find some high-consumption interfaces, such as search. php and Other interfaces that require a large number of SQL queries. Therefore, when we understand this point, we will be very good at defense, mainly for the number of connections from a single IP address and the density of requests to the PHP file.
We mainly use two limit modules in Nginx:
Ngx_http_limit_conn_module
Ngx_http_limit_req_module
0 × 01Whitelist
First, these two modules support the whitelist, that is, there may be some IP addresses, and we do not need to limit them. For example, they may be search engines or their own IP addresses, therefore, you need to set a whitelist. skip this step if you do not need it. Specific Method:
Insert the following content in the HTTP segment to declare the IP address whitelist.
| 3 |
Geo $ limited { |
| 4 |
Default 1; |
| 5 |
# Company |
| 6 |
119.123.5.0/24 0; |
The geo command defines a whitelist of $ limited variables. The default value is 1. If the client IP address is in the preceding range, the value of $ limited is 0.
Next, use the map command to map the ip address of the search engine client to an empty string. If the IP address is not a whitelist, the real IP address is displayed, in this way, the iIP address of the search engine cannot be stored in the memory session of the limit module, so the access from the IP address in the whitelist is not restricted.
| Map $ limited $ limit { |
| 1 $ binary_remote_addr; |
0 × 02
Access frequency limit
The ngx_http_limit_req_module is used in the Access frequency limit. You need to configure the ngx_http_limit_req_module in two places. First, declare some parameters of this module in the HTTP segment. If you have set a whitelist, set the following parameters:
| Limit_req_zone $ limit zone = one: 10 m rate = 20r/m; # average 20 R/m requests per minute |
| ... |
If no whitelist is configured, all access IP addresses are restricted. The configuration is as follows:
| Limit_req_zone $ binary_remote_addr zone = one: 10 m rate = 20r/m; #20 requests per minute on average: 20 R/m |
| ... |
The first parameter represents the ip Group to be restricted. The second zone = one indicates that the limit_zone name is one, this one can be used for reference in subsequent use. The next 15 m represents 10 m of memory allocated to this zone, and 16000 $ binary_remote_addr can be saved in 1 m. The last one is the frequency. If you want to calculate by second, you can set 20r/s.
Finally, the php parsing section configured to Nginx
| Location ~ \. Php $ { |
| ... |
| Limit_req zone = one burst = 5 nodelay; |
| ... |
The zone named one is specified, and the Buffer Queue is set to 5 without delay. If no delay is set, the access will get stuck.
0 × 03
Access Connection restrictions
The ngx_http_limit_conn_module is used for access connection restrictions. You also need to configure the ngx_http_limit_conn_module in two places. First, declare some parameters of this module in the HTTP segment. If you have set a whitelist, set the following parameters:
| Limit_conn_zone $ limit zone = addr: 10 m; |
| ... |
If no whitelist is configured, all access IP addresses are restricted. The configuration is as follows:
| Limit_conn_zone $ binary_remote_addr zone = addr: 10 m; |
| ... |
The meaning of the parameter is almost the same as above.
The server segment is followed by a specific directory or something.
| Server { |
| Location/download /{ |
It's done. After finishing the job, remember to reload nginx-s ~
