http{
...
limit_req_zone $cookie_token zone=session_limit:3m rate=1r/s;
limit_req_zone $binary_remote_addr $uri zone=auth_limit:3m rate=1r/m;
}
location /{
limit_req zone=session_limit burst=5;
rewrite_by_lua '
local random = ngx.var.cookie_random
if (random == nil) then
return ngx.redirect("/auth?url=" .. ngx.var.request_uri)
end
local token = ngx.md5("opencdn" .. ngx.var.remote_addr .. random)
if (ngx.var.cookie_token ~= token) then
return ngx.redirect("/auth?url=".. ngx.var.request_uri)
end
';
}
location /auth {
limit_req zone=auth_limit burst=1;
if ($arg_url = "") {
return403;
}
access_by_lua '
local random = math.random(9999)
local token = ngx.md5("opencdn" .. ngx.var.remote_addr .. random)
if (ngx.var.cookie_token ~= token) then
ngx.header["Set-Cookie"] = {"token=" .. token, "random=" .. random}
return ngx.redirect(ngx.var.arg_url)
end
';
}The limit_req_zone $binary_remote_addr $uri zone=auth_limit:3m rate=1r/m; in the code is correct. Are you sure you want to add $uri? (Update limit_req_zone supports multiple variables, so $binary_remote_addr $uri is correct)
If I want to apply it to my nginx, what else should I do besides this code?
Attached is the original post address, I don’t know if it is the original post: http://www.92csz.com/30/1255....
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
This idea is very rough and unreasonable. In principle, it is similar to denying access without entering the account password.
But is this realistic?
For a new user, how is it possible to know his account password. Unless it is pre-allocated, but how can pre-allocation avoid being allocated to an attacker?
The problem is back to its original point.
So this thing is of no use, and it only prevents it to a certain extent
CC,但不能防止DDOS.Why do you say it’s only to a certain extent? Because this cookie must always be given to the user, CC attacks can also get it.
If you really want to try it, you need to install it
nginx_lua模块,或者使用openresty.