First, the problem background
Recently the company's recently several lines covering CPU servers often too high, affecting part of the application response time-out, resulting in a large number of SMS and email alert, after investigation and database logs access.log, API interface is found to be brushed, malicious madness request, a maximum about 120 times / s.
Not before too much experience in this area, dealing with them is not very smooth, this problem just to mention a wake, after this issue is exposed to record what solutions and strategies.
Deployment line is: nginx + laravel.
First, we try to start from nginx level, it will take up less memory consumption, no longer forwarded to the php-fpm process.
Second, the (malicious) requests wherein
Like a good good features, it must capture certain features, through this feature to effectively control the malicious request.
短时间内,IP对某接口产生大量请求
user_agent,非正常信息或为空
请求量比平时要高涨很多。Third, limiting policy (nginx)
Limit the number of requests
First it is to control the number of requests on a single time IP and IP connections, configured as follows:
http {
limit_req_zone $binary_remote_addr zone=one:1m rate=1r/s;
server {
location /api/ {
limit_req zone=one burst=5;
}
}}
The main control limit_req_zone single IP request rate, the leaky bucket algorithm using the complete restriction, limit_req_zone size, is mainly used for storing statistical information of IP request, 1M IP 16 000 can be stored, when the request exceeds 16,000 per second when the remaining access will be access 503 service is temporarily unavailable.
The above template is provided, the maximum no more than one request per second, maximum delay request is not more than 5.
If the response time our server every time the interface is in the 200ms-300ms, every second that we limit should be set corresponding to 1000ms / interfaces response time consuming.
Limit the number of concurrent connections
End users request restrict the frequency, or if there is still a lot of malicious requests, we can also limit the number of concurrent.
http {
limit_conn_zone $binary_remote_addr zone=one:1m;
server {
location /api/ {
limit_conn one 10;
}
}}
limit_conn_zone: mainly used to control the number of concurrent requests, the frequency can not be too fast.
limit_conn_zone size consistent with the meaning limit_req_zone, dynamic control may be required, in the above case, each client IP limit represents the maximum number of concurrent connections 10.
Set the IP blacklist
When an IP request too frequently or completely eliminate the need for IP access, IP access can be disabled through the blacklist deny the nginx configuration.
http {
include blockip.conf;
}
Blacklist Configuration
deny 195.91.112.66;
deny 192.168.2.100;
After being added blacklist, there will again visit 403 Forbidden.
Image
limiting UA (user-agent) information
http {
server {
if ($http_user_agent ~* "curl") {
return 403;
}
}
}
The above information on banned ua for customers curl end, direct return 403.
Prohibit multiple ua, by | be cut off.
if ($http_user_agent ~* "curl|wget") {
return 403;
}
(Four), limiting policy (laravel)
In our laravel project, there is a Throttle middleware, the policy can be at the application layer above, the user can effectively inhibit malicious requests, configured as follows:
Route::group(['middleware' => 'throttle:30:1'],function(){
Route::any('/login', 'LoginController@login');
});
The throttle arrangement, the first parameter to control the number of requests, the second parameter is used to control the frequency of requests, it shows the above configuration, each client IP routing maximum login request 30 per minute.
When the client requests ip exceed limits, the server will return 429 Too Many Attempts. Response
Use scene
recently, the report inquiry system load balancing cluster configuration has been completed, two implementations are based Ehcache and Redis of session management strategy.
We all know that the limited resources of the server, but the client's request is unlimited (do not rule out malicious attacks), most of the requests in order to ensure the normal response, had to give up some of the client's request, we will use the Nginx limiting operation, this operation can be largely relieve pressure on the server, so that other normal requests to be a normal response.
Nginx how to use basic restrictor, such as limiting access to a single IP 50 times per second. Nginx by limiting module, we can set the number of concurrent connections than we once set, will return 503 error to the client. This can be very effective in preventing the CC attack. Coupled with iptables firewall, basically CC attack will be ignored.
how to use
conf Configuration
Http unified field configurable
Limit request
limit_req_zone $binary_remote_addr $uri zone=api_read:20m rate=50r/s;
A connection zone configured by ip
limit_conn_zone $binary_remote_addr zone=perip_conn:10m;
A server configured by connecting zone
Zone $ server_name = perserver_conn limit_conn_zone: 100m;
Server {
the listen 80;
server_name report.52itstyle.com;
index the login.jsp;
LOCATION / {
# request burst by limiting default queue 0
limit_req = Zone = api_read burst. 5;
# connections limits concurrent requests to each IP 2
limit_conn perip_conn 2;
connections # limited service (i.e., limits the number of concurrent connections to the server)
limit_conn perserver_conn 1000;
# connection speed
limit_rate 100K;
proxy_pass HTTP: // Report;
}
}
{Report upstream
Fair;
Server = 172.16.1.120:8882 weight = 2. 1 max_fails fail_timeout = 30s;
Server = 172.16.1.120:8881 weight = 2. 1 max_fails fail_timeout = 30s;
}
configured error 503
by default, the amount exceeds the limit, will reported 503 errors, tips:
503 Service Temporarily Unavailable
At The Server IS temporarily. It is Unable to Service your Request Due to Maintenance downtime or Capacity Problems. Please the try Again later. Sorry for at The inconvenience.
Please Report the this the Message and the include at The following Information to US.
Thank you Very much!
This is nothing wrong with the display, but friendly enough, here we have a custom 503 error.
500 502 503 504 /50x.html error_page;
LOCATION = {/50x.html
the root HTML; # 50X custom error
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43Configuration instructions
limit_conn_zone
The container is defined for each IP session state storage. This example defines a 100m container, in accordance with 32bytes / session, it may be processed 3,200,000 session.
limit_rate 300k;
Note that for each connection speed limit 300k, here is the connection speed, rather than IP speed limit. If an IP allows two concurrent connections, then this IP is rate limiting limit_rate × 2.
burst=5;
This is equivalent to put five seats next checkpoint req. If a request was exceeding the speed limit was stopped and asked him to sit in the empty seats, and so on line, if the checkpoint is empty, you can pass. If even the seats are occupied, then sorry, requests directly returned to the client server is busy getting a response. So request_rate burst with nothing to do, set to 10000, that 10000 request can wait queue, while checkpoints or 1 second release of five requests (turtle speed). But also not always line up, so nginx also set a time-out, line up over a certain time, but also directly returned, the server returns a response busy.
Nginx above configuration requires the following modules:
ngx_http_limit_conn_module (static)
ngx_http_limit_req_module (static)
Run nginx -V can check to see if there is installed.
Summary The
object of the limiting flow is to prevent malicious requests, malicious attacks or prevent the flow exceeds system peak.
There are many implementations, Nginx the limit module is just one idea. Request for malicious traffic, or restrict access to the cache shielding layer used for malicious ip nginx deny.