How to prevent DDoS attacks in nginx
Defending against DDOS is a systematic project. There are many types of attacks, the cost of defense is high and there are many bottlenecks. Defense is passive and helpless. The characteristic of DDOS is that it is distributed and targets bandwidth and service attacks, that is, Layer 4 traffic attacks and Layer 7 application attacks. The corresponding defense bottleneck at Layer 4 is bandwidth, and at Layer 7 is the throughput of the architecture. For layer seven application attacks, we can still make some configurations to defend against them.
For example The front end is Nginx, which mainly uses nginx’s http_limit_conn and http_limit_req modules for defense. ngx_http_limit_conn_module can limit the number of connections of a single IP, and ngx_http_limit_req_module can limit the number of requests per second of a single IP. By limiting the number of connections and requests, CC attacks can be relatively effectively defended.
The following is the configuration method:
Limit the number of requests per second
ngx_http_limit_req_module module limits the unit time through the leaky bucket principle Once the number of requests per unit time exceeds the limit, a 503 error will be returned. Configuration needs to be set in two places:
Define trigger conditions in the http section of nginx.conf. There can be multiple conditions
Define the actions to be performed by nginx when the trigger conditions are met in location
For example:
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; //触发条件,所有访问ip 限制每秒10个请求 ...
server { ...
location ~ \.php$ {
limit_req zone=one burst=5 nodelay; //执行的动作,通过zone名字对应
}
}
}Parameter description:
$binary_remote_addr 二进制远程地址 zone=one:10m 定义zone名字叫one,并为这个zone分配10M内存,用来存储会话(二进制远程地址),1m内存可以保存16000会话 rate=10r/s; 限制频率为每秒10个请求 burst=5 允许超过频率限制的请求数不多于5个,假设1、2、3、4秒请求为每秒9个,那么第5秒内请求15个是允许的,反之,如果第一秒内请求15个,会将5个请求放到第二秒,第二秒内超过10的请求直接503,类似多秒内平均速率限制。 nodelay 超过的请求不被延迟处理,设置后15个请求在1秒内处理。
Limit the number of IP connections
The configuration method and parameters of ngx_http_limit_conn_module are the same as The http_limit_req module is very similar, with fewer parameters and much simpler
http {
limit_conn_zone $binary_remote_addr zone=addr:10m; //触发条件 ...
server { ...
location /download/ {
limit_conn addr 1; // 限制同一时间内1个连接,超出的连接返回503
}
}
}For more Nginx related technical articles, please visit the Nginx Usage Tutorial column to learn!
The above is the detailed content of How to prevent DDoS attacks in nginx. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
How to allow external network access to tomcat server
Apr 21, 2024 am 07:22 AM
To allow the Tomcat server to access the external network, you need to: modify the Tomcat configuration file to allow external connections. Add a firewall rule to allow access to the Tomcat server port. Create a DNS record pointing the domain name to the Tomcat server public IP. Optional: Use a reverse proxy to improve security and performance. Optional: Set up HTTPS for increased security.
How to run thinkphp
Apr 09, 2024 pm 05:39 PM
Steps to run ThinkPHP Framework locally: Download and unzip ThinkPHP Framework to a local directory. Create a virtual host (optional) pointing to the ThinkPHP root directory. Configure database connection parameters. Start the web server. Initialize the ThinkPHP application. Access the ThinkPHP application URL and run it.
Welcome to nginx!How to solve it?
Apr 17, 2024 am 05:12 AM
To solve the "Welcome to nginx!" error, you need to check the virtual host configuration, enable the virtual host, reload Nginx, if the virtual host configuration file cannot be found, create a default page and reload Nginx, then the error message will disappear and the website will be normal show.
How to generate URL from html file
Apr 21, 2024 pm 12:57 PM
Converting an HTML file to a URL requires a web server, which involves the following steps: Obtain a web server. Set up a web server. Upload HTML file. Create a domain name. Route the request.
How to deploy nodejs project to server
Apr 21, 2024 am 04:40 AM
Server deployment steps for a Node.js project: Prepare the deployment environment: obtain server access, install Node.js, set up a Git repository. Build the application: Use npm run build to generate deployable code and dependencies. Upload code to the server: via Git or File Transfer Protocol. Install dependencies: SSH into the server and use npm install to install application dependencies. Start the application: Use a command such as node index.js to start the application, or use a process manager such as pm2. Configure a reverse proxy (optional): Use a reverse proxy such as Nginx or Apache to route traffic to your application
What are the most common instructions in a dockerfile
Apr 07, 2024 pm 07:21 PM
The most commonly used instructions in Dockerfile are: FROM: Create a new image or derive a new image RUN: Execute commands (install software, configure the system) COPY: Copy local files to the image ADD: Similar to COPY, it can automatically decompress tar archives or obtain URL files CMD: Specify the command when the container starts EXPOSE: Declare the container listening port (but not public) ENV: Set the environment variable VOLUME: Mount the host directory or anonymous volume WORKDIR: Set the working directory in the container ENTRYPOINT: Specify what to execute when the container starts Executable file (similar to CMD, but cannot be overwritten)
Can nodejs be accessed from the outside?
Apr 21, 2024 am 04:43 AM
Yes, Node.js can be accessed from the outside. You can use the following methods: Use Cloud Functions to deploy the function and make it publicly accessible. Use the Express framework to create routes and define endpoints. Use Nginx to reverse proxy requests to Node.js applications. Use Docker containers to run Node.js applications and expose them through port mapping.
How to deploy and maintain a website using PHP
May 03, 2024 am 08:54 AM
To successfully deploy and maintain a PHP website, you need to perform the following steps: Select a web server (such as Apache or Nginx) Install PHP Create a database and connect PHP Upload code to the server Set up domain name and DNS Monitoring website maintenance steps include updating PHP and web servers, and backing up the website , monitor error logs and update content.
