让 nginx 抵御洪水攻击

让 nginx 抵御洪水攻击

我怎样才能让它更好地抵御攻击?有它们的插件吗?

寻找一种方法来限制速率并保持上升势头,不放慢速度。

我的设置:

user  nobody;
# no need for more workers in the proxy mode
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_priority -2;
error_log  /var/log/nginx/error.log info;
worker_rlimit_nofile 40480;
events {
 worker_connections 5120; # increase for busier servers
 use epoll; # you should use epoll here for Linux kernels 2.6.x
}
http {
 server_name_in_redirect off;
 server_names_hash_max_size 10240;
 server_names_hash_bucket_size 1024;
 include    mime.types;
 default_type  application/octet-stream;
 server_tokens off;
 disable_symlinks if_not_owner;
 sendfile on;
 tcp_nopush on;
 tcp_nodelay on;
 keepalive_timeout  5;
 gzip on;
 gzip_vary on;
 gzip_disable "MSIE [1-6]\.";
 gzip_proxied any;
 gzip_http_version 1.1;
 gzip_min_length  1000;
 gzip_comp_level  9;
 gzip_buffers  16 8k;
# You can remove image/png image/x-icon image/gif image/jpeg if you have slow CPU
 gzip_types    text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml;
 ignore_invalid_headers on;
 client_header_timeout  3m;
 client_body_timeout 3m;
 send_timeout     3m;
 reset_timedout_connection on;
 connection_pool_size  256;
 client_header_buffer_size 256k;
 large_client_header_buffers 4 256k;
 client_max_body_size 200M;
 client_body_buffer_size 128k;
 request_pool_size  32k;
 output_buffers   4 32k;
 postpone_output  1460;
 proxy_temp_path  /tmp/nginx_proxy/;
 client_body_in_file_only on;
 log_format bytes_log "$msec $bytes_sent .";
 include "/etc/nginx/vhosts/*";
}

虚拟主机文件:

server {
          error_log /var/log/nginx/vhost-error_log warn;
          listen 194.145.208.19:80;
          server_name ipxnow.in www.ipxnow.in;
          access_log /usr/local/apache/domlogs/ipxnow.in-bytes_log bytes_log;
          access_log /usr/local/apache/domlogs/ipxnow.in combined;
          root /home/ipxnowin/public_html;
          location / {
          location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$ {
          expires 7d;
          try_files $uri @backend;
          }
          error_page 405 = @backend;
          add_header X-Cache "HIT from Backend";
          proxy_pass http://194.145.208.19:8081;
          include proxy.inc;
          }
          location @backend {
          internal;
          proxy_pass http://194.145.208.19:8081;
          include proxy.inc;
          }
          location ~ .*\.(php|jsp|cgi|pl|py)?$ {
          proxy_pass http://194.145.208.19:8081;
          include proxy.inc;
          }
          location ~ /\.ht {
          deny all;
          }
        }

和 proxy.inc:

proxy_connect_timeout 59s;
proxy_send_timeout   600;
proxy_read_timeout   600;
proxy_buffer_size    64k;
proxy_buffers     16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass_header Set-Cookie;
proxy_redirect     off;
proxy_hide_header  Vary;
proxy_set_header   Accept-Encoding '';
proxy_ignore_headers Cache-Control Expires;
proxy_set_header   Referer $http_referer;
proxy_set_header   Host   $host;
proxy_set_header   Cookie $http_cookie;
proxy_set_header   X-Real-IP  $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

答案1

nginx中有两个限制模块:

指令limit_rate

答案2

为什么不试试 IPtables 呢?以下命令可以限制传入的 http 连接数,

iptables -A 输入 -p tcp --dport 80 -m 限制 --limit 25/分钟 --limit-burst 100 -j 接受

相关内容