How to prevent DDoS attacks after nginx reverse proxy

Defending against DDOS is a systematic project. There are many types of attacks, the cost of defense is high and there are many bottlenecks. Defense is passive and helpless. The characteristic of DDOS is that it is distributed and targets bandwidth and service attacks, that is, Layer 4 traffic attacks and Layer 7 application attacks. The corresponding defense bottleneck at Layer 4 is bandwidth, and at Layer 7 is the throughput of the architecture.

1. Limit the number of requests per second

ngx_http_limit_req_module module uses the leaky bucket principle to limit the number of requests per unit time. Once If the number of requests per unit time exceeds the limit, a 503 error will be returned.

Configuration needs to be set in two places:

Define trigger conditions in the http section of nginx.conf, there can be multiple conditions

Define the action to be performed by nginx when the trigger condition is reached in the location

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; //触发条件，所有访问ip 限制每秒10个请求    ...
    server {        ...
        location  ~ \.php$ {
            limit_req zone=one burst=5 nodelay;   //执行的动作,通过zone名字对应
               }
           }
     }

Parameter description:

$binary_remote_addr Binary remote address

zone=one :10m Define the zone name as one, and allocate 10M memory to this zone to store sessions (binary remote address). 1m memory can save 16,000 sessions

rate=10r/s; Limit the frequency to 10 per second Requests

burst=5 The number of requests that exceed the frequency limit is allowed to be no more than 5. Assume that the number of requests in 1, 2, 3, and 4 seconds is 9 per second, then 15 requests in the 5th second are allowed. On the contrary, if there are 15 requests in the first second, 5 requests will be placed in the second second. Requests exceeding 10 in the second second will be directly 503, similar to the average rate limit in multiple seconds.

nodelay Requests exceeding the limit will not be delayed. After setting, 15 requests will be processed within 1 second.

2. Limit the number of IP connections

The configuration method and parameters of ngx_http_limit_conn_module are very similar to the http_limit_req module, with fewer parameters and much simpler

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m; //触发条件    ...
    server {        ...
        location /download/ {
            limit_conn addr 1;    // 限制同一时间内1个连接，超出的连接返回503
                }
           }
     }

3. Whitelist settings

http_limit_conn and http_limit_req modules limit the number of concurrency and requests per unit time of a single IP, but if there is a load balancing or reverse proxy such as lvs or haproxy in front of Nginx , all nginx obtains are connections or requests from load balancing. At this time, load balancing connections and requests should not be restricted. You need to set a whitelist for the geo and map modules:

geo $whiteiplist  {
        default 1;
        10.11.15.161 0;
    }
map $whiteiplist  $limit {
        1 $binary_remote_addr;
        0 "";
    }
limit_req_zone $limit zone=one:10m rate=10r/s;
limit_conn_zone $limit zone=addr:10m;

More Nginx related technical articles, Please visit the Nginx usage tutorial column to learn!

The above is the detailed content of How to prevent DDoS attacks after nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!