Limit the number of visits to a certain IP in the same time period
How to limit the number of visits of a certain IP for a certain period of time is a headache, especially when faced with malicious ddos attacks. Among them, the CC attack (Challenge Collapsar) is a kind of DDOS (distributed denial of service), and it is also a common website attack method. The attacker sends a large number of data packets to the victim host through the proxy server or broiler, causing the other server Resources are exhausted until downtime crashes.
The cc attack generally uses a limited number of ips to frequently send data to the server to achieve the purpose of the attack. nginx can prevent cc attacks by limiting the number of ip accesses in the same time period by configuring HttpLimitReqModul and HttpLimitZoneModule.
HttpLimitReqModul is a module used to limit the number of connections per unit time. Use the limit_req_zone and limit_req commands to achieve the limit. Once the number of concurrent connections exceeds the specified number, a 503 error is returned.
HttpLimitConnModul is used to limit the number of concurrent connections for a single ip, using the limit_zone and limit_conn directives
The difference between these two modules is that the former is the limit on the number of connections within a period of time, and the latter is the limit on the number of connections at the same time.
HttpLimitReqModul Limits the number of accesses to the same ip within a certain period of time.
http{
...
#Define a limit_req_zone named allips to store sessions, the size is 10M memory,
#With $binary_remote_addr as the key, the average number of requests per second is limited to 20,
#1M can store 16000 states, the value of rete must be an integer,
#If you limit one request for two seconds, you can set it to 30r/m
limit_req_zone $binary_remote_addr zone=allips:10m rate=20r/s;
...
server{
...
location {
...
#Limit no more than 20 requests per second per ip, and the number of leaked bucket burst is 5
#brust means that if the 1st, 2, 3, and 4 second requests are 19,
#第5秒的请求为25个是被允许的。
#但是如果你第1秒就25个请求,第2秒超过20的请求返回503错误。
#nodelay,如果不设置该选项,严格使用平均速率限制请求数,
#第1秒25个请求时,5个请求放到第2秒执行,
#设置nodelay,25个请求将在第1秒执行。
limit_req zone=allips burst=5 nodelay;
...
}
...
}
...
}
HttpLimitZoneModule 限制并发连接数实例
limit_zone只能定义在http作用域,limit_conn可以定义在http server location作用域
http{
...
#定义一个名为one的limit_zone,大小10M内存来存储session,
#以$binary_remote_addr 为key
#nginx 1.18以后用limit_conn_zone替换了limit_conn
#且只能放在http作用域
limit_conn_zone one $binary_remote_addr 10m;
...
server{
...
location {
...
limit_conn one 20; #连接数限制
#带宽限制,对单个连接限数,如果一个ip两个连接,就是500x2k
limit_rate 500k;
...
}
...
}
...
}
http://www.jb51.net/article/71148.htm
http://www.nginx.cn/446.html