Use nginx to defend against illegal requests

Use nginx to defend against illegal requests

Ngx_http_limit_conn_module

This module is mainly used to limit the number of requests per second. We will customize the restrictions based on what conditions.

Official Module ngx_http_limit_req_module

Nginx limit on the number of requests ngx_http_limit_req_module module for Chinese Translation

The document is very detailed. Let's roughly describe it:

Limit_req_zone $ variable zone = name: size rate = rate;

The command indicates that, with the $ variable as the condition, the name is name, the size of the bucket is set to size, and the frequency is set to rate;

You can set ** different conditions, names, and sizes **.

This definition must be written in ** http configuration section **.

Write limit_req zone = name [burst = number] [nodelay] in the matched location. Here, the burst is the number of allowed missing buckets, when the request frequency is greater than rate but the number of exceeds is not greater than the number set by burst, nginx will return the request latency that exceeds the limit. If the number of requests exceeds burst, the system returns the error code for the excess parts. The default value is 503. As for nodelay, it is to set whether to delay. If it does not exceed the request delay of burst.

Most of the conditions on the Internet are $ binary_remote_addr. In fact, we can define our own conditions based on our own needs. Here are some examples.

Ngx_http_limit_conn_module

This module mainly limits the number of connections of individual ip addresses at the same time.

Official Document Module ngx_http_limit_conn_module.

Number of nginx restricted connections in Chinese Translation: ngx_http_limit_conn_module.

Please refer to the document. I have not used this module in actual practice.

Practical stage

Now, we are going to the actual stage:

First, our initial configuration file is (incomplete ):
Http {server {listen 8080 default_server; server_name localhost: 8080; location ~ . * {Proxy_pass http: // 127.0.0.1: 8080; proxy_set_header X-Real-IP $ remote_addr ;}}}
We need to limit the number of interfaces that are frequently accessed by illegal users.

First version: one second request with 5 Missing buckets

Http {limit_req_zone $ binary_remote_addr zone = one: 10 m rate = 1r/s; server {listen 8080 default_server; server_name localhost: 8080; location ~ . * {Proxy_pass http: // 127.0.0.1: 8080; proxy_set_header X-Real-IP $ remote_addr;} location ^ ~ /Interface {limit_req zone = one burst = 5 nodelay; proxy_pass http: // 127.0.0.1: 8080 ;}} added proxy_pass http: // 127.0.0.1: 8080; forwarding is configured here. Otherwise, the server cannot be found after matching.

However, this may cause a problem. Currently, we use ip addresses as the limitation, but it is possible that the Internet cafe or the internal egress is one or several ip addresses. If this restriction is imposed, normal users will also be restricted, the loss is not worth the candle. In fact, we can find a single user in another way. When a normal request comes over, we will set a 'Token' message about the user. As for how this 'Token' is generated, only the server knows how to add it to each of our requests. The 'header' carries this information and the 'Token' value, if an invalid request may not have this value, we can use the 'Token' as the condition to limit it even if it has this value. This is more reasonable.

Proxy_pass http: // 127.0.0.1: 8080 is added here; Forwarding is configured here; otherwise, the server cannot be found after matching.

However, this may cause a problem. Currently, we use ip addresses as the limitation, but it is possible that the Internet cafe or the internal egress is one or several ip addresses. If this restriction is imposed, normal users will also be restricted, the loss is not worth the candle. In fact, we can find a single user in another way. When a normal request comes over, we will set a 'Token' message about the user. As for how this 'Token' is generated, only the server knows how to add it to each of our requests. The 'header' carries this information and the 'Token' value, if an invalid request may not have this value, we can use the 'Token' as the condition to limit it even if it has this value. This is more reasonable.

Version 2

Http {limit_req_zone $ http_token zone = two: 10 m rate = 1r/s; server {listen 8080 default_server; server_name localhost: 8080; location ~. * {Proxy_pass http://127.0.0.1:8080 ; Proxy_set_header X-Real-IP $ remote_addr;} location ^ ~ /Interface {if ($ http_token = "") {return 403;} limit_req zone = two burst = 5 nodelay; proxy_pass http://127.0.0.1:8080 ;}}} In nginx, use the $ http _ variable name, which is the corresponding variable in the header.

Warning in front: I leave a hole in this configuration. if you configure it like me, an exception nginx: [emerg] unknown directive "if ($ http_token ", it is strange that no, it took me a long time to solve this exception, because if and (A ** space ** is required in the middle. Yes, it took me several hours to fix this space, I hope you will not repeat the same mistakes.

Article on how to solve this problem: Nginx unknown directive "if ($ domain"

This configuration can be limited. For me, it is good to use a bit of research for nginx.

Edit recommendations]