How to configure Nginx server to prevent Flood attacks

Test

I will briefly tell you how to configure nginx's restricted request module and how it protects your website from being attacked by DDoS or other http-based Denial of service attack.

In this test, I saved the sample page in blitz.io (now a free service) and named it about.html to test the limit_req directive.

First, I saved it on blitz Use the following command to initiate 1075 concurrent requests and last for one minute. The response timeout is set to 2 minutes, the region is California, and all other states except status 200 are set to abnormal status. Even 503 is considered It was unsuccessful.

-p 1-1075:60 --status 200 -t 2000 -r california http://kbeezie.com/about.html

## Not bad, right? But if this is a php document. It is very likely that some users will cause the 502/504 status of the php process, making the server crash or become unresponsive. Especially if you use Any protected vps or other cheap server will have a higher failure rate. (Original advertisement, blocked here)

Of course you can use caching or other tools to improve server performance and responsiveness. For example, if you use wordpress, you must use the wordpress caching plugin. da for those type of people we can use the limit request module.

In nginx we create a region http { }, I call it blitz to set 5 requests per second, and the maximum amount of data can be accommodated is 10mb. I use $binary_remote_addr as the session variable Allow yourself to access more than 10mb of space than normal visitors to $remote_addr.

Copy the code The code is as follows:

limit_req_zone $binary_remote_addr zone=blitz:10m rate=5r/s;

Ran Zhou defines these rules in the server:

Copy the code The code is as follows:

location = /about.html {

limit_req zone=blitz nodelay;
}

Then reload the nginx configuration and see the effect:

You will find that only 285 people can access the server now , the number of requests per second is 4.75, which does not exceed the 5 times per second we set. Check the log and you will find that the requests that are not accessed are http 503, and the requests that are accessed are all http 200.

Use like this The setting is helpful if you want to restrict access to a region, it can also be applied to all php requests.

php Apply Request Limits

If you want to restrict all For PHP application limits, you can do this:

Copy code The code is as follows:

location ~ \.php {

limit_req zone=flood;
include php_params.conf;
fastcgi_pass unix:/tmp/php5-fpm.sock;
}

It can help you play with settings such as acceleration or deceleration to cope with sudden or no-delay requirements. Configuration item details , click here: httplimitreqmodule.

Note:

You may notice that the above chart tested 1075 user requests, which is misleading because all access requests come from the same server located in California. ip(50.18.0.223).

It is difficult for me to implement a real high-traffic network or ddos ​​(distributed denial of service attack). This is why the number of users we successfully access is not the same as ip Very large. Server load will also affect the number of visits or regions of test users. With the free version, the maximum number of concurrent users you can access is 50. Of course, you can spend $49 per day to allow 1,000 users to visit your website.

If you have enough memory and bandwidth, it is very easy to test with a single IP address. With this tool, you can achieve: high concurrency, ab, openload, etc. It is just in the terminal interface, without UI That’s it.

Of course you have to test it yourself, remember to use the status flag, because blitz will respond to the access request after about 5 seconds.

Better alternative

Without going into more details here, if you are serious about preventing DDoS or multi-service attacks from attacking your server, there are other great software tools like iptables (linux), pf (packet filter for bsd), or if your server provides hardware, you can use your hardware firewall. The above restriction module will only prevent flood attacks through http requests. It will not prevent ping packet flood attacks or other vulnerabilities. For these In this case, you can close unnecessary services and unnecessary ports to prevent others from breaking through.

For example, the only ports my server exposes to the external network are http/https and ssh. Among services such as mysql Bind local connections. You can also set some common services to ports that are not commonly used so that they will not be sniffed (iptables/pf will help in this situation).

The above is the detailed content of How to configure Nginx server to prevent Flood attacks. For more information, please follow other related articles on the PHP Chinese website!