A brief discussion on the configuration of Nginx to prevent traffic attacks

This article mainly shares with you the configuration method of Nginx to prevent traffic attacks. The article gives a detailed introduction and configuration sample code, which has a certain reference and learning value for everyone. Friends who need it, let’s take a look together.

We all know that server resources are limited, but requests from clients are unlimited (malicious attacks are not ruled out), in order to ensure that most requests can be responded normally, we have to give up some requests from clients, so we will use Nginx Current limiting operation, this operation can relieve the pressure on the server to a great extent, so that other normal requests can be responded normally.

How to use Nginx to implement basic current limiting, such as limiting a single IP to 50 visits per second. Through the Nginx current limiting module, we can set that once the number of concurrent connections exceeds our setting, a 503 error will be returned to the client. This can be very effective in preventing CC attacks. Combined with the iptables firewall, basically CC attacks can be ignored. Let’s take a look at the detailed introduction:

how to use

conf configuration

#统一在http域中进行配置
#限制请求
limit_req_zone $binary_remote_addr $uri zone=api_read:20m rate=50r/s;
#按ip配置一个连接 zone
limit_conn_zone $binary_remote_addr zone=perip_conn:10m;
#按server配置一个连接 zone
limit_conn_zone $server_name zone=perserver_conn:100m;
server {
  listen  80;
  server_name report.52itstyle.com;
  index login.jsp;
  location / {
    #请求限流排队通过 burst默认是0
    limit_req zone=api_read burst=5;
    #连接数限制,每个IP并发请求为2
    limit_conn perip_conn 2;
    #服务所限制的连接数(即限制了该server并发连接数量)
    limit_conn perserver_conn 1000;
    #连接限速
    limit_rate 100k;
    proxy_pass  http://report;
  }
}
upstream report {
  fair;
  server 172.16.1.120:8882 weight=1 max_fails=2 fail_timeout=30s;
  server 172.16.1.120:8881 weight=1 max_fails=2 fail_timeout=30s;
}

Configuration 503 error

By default, if the limit is exceeded, a 503 error will be reported, prompting:

503 Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. Sorry for the inconvenience.
Please report this message and include the following information to us.
Thank you very much!

There is nothing wrong with this display, but it is not friendly enough. Here we customize the 503 error.

error_page 500 502 503 504 /50x.html;
location = /50x.html {
 root html;#自定义50X错误
}

Configuration instructions

limit_conn_zone

It is to define a container for storing session state for each IP. In this example, a 100m container is defined, according to 32bytes/session, it can handle 3200000 sessions.

limit_rate 300k;

The speed limit for each connection is 300k. Note that this is the speed limit for the connection, not for the IP. If an IP allows two concurrent connections, then this IP is limit_rate×2.

burst=5；

This is equivalent to putting 5 seats next to the checkpoint req. If a request is stopped for exceeding the speed limit at that time, ask him to sit in an empty seat, wait in line, and if the checkpoint is empty, he can pass. If even the seats are full, then sorry, the request will be returned directly, and the client will get a server busy response. Therefore, burst has nothing to do with request_rate. If it is set to 10000, 10,000 requests can be queued, but the checkpoint still releases 5 requests in 1 second (turtle speed). And you can't queue all the time, so nginx also sets a timeout. If the queue exceeds a certain time, it will be returned directly and a server busy response will be returned.

以上配置Nginx需要配置以下模块：

ngx_http_limit_conn_module (static)
ngx_http_limit_req_module (static)

执行命令 nginx -V 就可以检查到是否有安装。

总结

以上就是这篇文章的全部内容了，希望本文的内容对大家的学习或者工作能带来一定的帮助

来源：微点阅读   https://www.weidianyuedu.com