Outline
Slow attack, ddos attack is a variant version. Generally speaking, it is normal by sending the server a request, but the content of the request or the request of the head body is particularly long, particularly slow speed of transmission, so that each time a connection is occupied becomes very long, the attacker will a short time continuing request to the server, the server will soon run out of resources, so as to make the server denial of service.
For HTTP services, there are several basic attacks:
Slow headers: Web application is received they have to finish all of the HTTP headers, Web server before processing the HTTP request and nothing received two consecutive \ r \ n, the client will think not finished sending the head, and sustained etc. the client sends data, consumption of server connections and memory resources.
Slow body: the attacker sends an HTTP POST request, Content-Length header value of the request so great that the Web server or proxy client believes to send a lot of data. The server will keep the connection is ready to receive data, but the attack each time the client sends only a small amount of data, so the connection is kept alive, consumption of server connections and memory resources.
Slow read: client and server to establish a connection and sends an HTTP request, the client sends a complete request to the server, then the connection has been maintained to a very low speed reading Response, such a long time client does not read take any data, by sending the Zero Window to the server so that client mistook busy until the connection times out fast read a byte to consume server connections and memory resources.
Nginx optimal allocation
-
keepalive_timeout
Nginx use keepalive_timeout to specify KeepAlive timeout (timeout). Each TCP connection can specify how long to keep up to. Nginx default value is 75 seconds, 60 seconds at most some browsers, it can be set to 60 seconds. If it is set to 0, it disables keepalive connection.
-
client_body_timeout
Specify the client and server to establish the timeout after sending request body connection. If the client does not send any content within a specified time, Nginx returns HTTP 408 (Request Timed Out).
# 配置段: http, server, locationclient_body_timeout 20s;
-
client_header_timeout
The client sends a full timeout request header to the server. If the client does not send a complete request header within the specified time, Nginx returns HTTP 408 (Request Timed Out).
# 配置段: http, server, locationclient_header_timeout 10s;
-
send_timeout
Server timeout to transmit data to the client.
# 配置段: http, server, locationsend_timeout 30s;
-
client_body_buffer_size
This instruction is provided for the buffer size requested body. If the subject is beyond the buffer size, the full or part of the body to write temporary files. If NGINX is configured to use file instead of a memory buffer, the instruction will be ignored. By default, the instruction set is a 32-bit buffer 8k, 16k buffer is provided a 64-bit system. This instruction uses the http, server configuration and location blocks NGINX.
-
client_max_body_size
This instruction can handle the maximum setting NGINX request body size. If the request is greater than the specified size, the back NGINX HTTP 413 (Request Entity too large) error. If the server to handle large file uploads, the instruction is very important.
By default, the command value is 1m. as follows:
server{client_max_body_size 2m;}
Other configuration options:
-
client_body_in_file_only
This command disables the temporary buffer and NGINX file storage request body. Plain text file that contains the data. This instruction uses the http, server configuration and location blocks NGINX. The possible values are:
off: This value will disable file write
clean: the request to be written to the file body. The file will be deleted after processing the request.
on: requesting text file will be written. After processing the request will not delete the file.
By default, the command is off. as follows:
http{client_body_in_file_only clean;}
-
client_body_in_single_buffer
The instruction set of the full body of the request NGINX stored in a single buffer. By default, the command is off. If enabled, it will involve optimization when reading $ request_body variable I / O operations. Examples are as follows:
server{client_body_in_single_buffer on;}
-
client_body_temp_path
This instruction specifies a storage location of temporary files requested text. In addition to the location, instructions can also specify whether the file can take up to three levels of the folder hierarchy. Level specified for the number of bits generated folder.
By default, NGINX creates temporary files in the folder client_body_temp files under NGINX installation path. Examples are as follows:
server{client_body_temp_pathtemp_files 1 2;}
-
client_header_buffer_size
This instruction is similar to client_body_buffer_size. It allocates a buffer for the request header. If the request header size is greater than the specified buffer, is used to allocate a larger large_client_header_buffers instruction buffer. Examples are as follows:
http{client_header_buffer_size 1m;}
-
large_client_header_buffers
This instruction specifies a maximum number and size of large client request for reading the head buffer. These buffers on demand only when the buffer is less than the default. When the connection switching process request or to remain active, release the buffer. Examples are as follows:
http{large_client_header_buffers 4 8k;}