Nginx configuration Secure Access

Website system security configuration (Nginx) to prevent malicious Web site GJ. Sites such as DDos, CC and so on. All the principles are the same between them, that send large amounts of data requests to the server.

• The method of active defense Nginx
  Nginx has two means for "quantity" and the "speed" access control user connections. Are
  HttpLimitZoneModule : concurrent connections limit the access control
  HttpLimitReqModule : restrict access to data, the maximum number of requests per second
  of two or more modules configured to access the system easier to affect the normal traffic, the number of accesses per second at most, and concurrent access control You can not set too dead, or else were no survivors, all client requests will normally block out.

• Nginx common configuration
  http module configuration

  # 用户的 IP 地址 $binary_remote_addr 作为 Key，每个 IP 地址最多有 50 个并发连接
  # 你想开几千个连接 刷死我？ 超过 50 个连接，直接返回 503 错误给你，根本不处理你的请求了
  # limit single IP 50 concurrent control
  limit_conn_zone $binary_remote_addr zone=TotalConnLimitZone:20m ;
  limit_conn  TotalConnLimitZone  50;
  limit_conn_log_level notice;
  
  # 用户的 IP 地址 $binary_remote_addr 作为 Key，每个 IP 地址每秒处理 20 个请求
  # 你想用程序每秒几百次的刷我，没戏，再快了就不处理了，直接返回 503 错误给你
  # limit single IP/s 20 Request
  limit_req_zone $binary_remote_addr zone=ConnLimitZone:20m  rate=20r/s;
  limit_req_log_level notice;

  Wherein "limit_conn_zone $ binary_remote_addr zone = TotalConnLimitZone: 20m;" indicates a name for the memory area defined TotalConnLimitZone, size 20M. "Limit_req_log_level notice;" to define log level.
  Wherein "limit_req_zone $ binary_remote_addr zone = ConnLimitZone: 20m rate = 25r / s;" denotes defines a name for the memory area of ConnLimitZone, ConnLimitZone remote IP address for the content, ConnLimitZone size 20M, ConnLimitZone average requested rate of 20 per second; "limit_req_log_level notice;" to define log level.
  The above configuration is applied to server module

  ...
  location  /abc/ {
          limit_req zone=ConnLimitZone burst=5 nodelay;
          proxy_pass http://abc_pool/;
      }
  ...

  Wherein "zone = ConnLimitZone" which configuration setting area limitation do use, name corresponding to the above limit_req_zone; burst = 5, burst broke the meaning of this configuration is to set a mean size of the buffer 5, when a large number of requests ( outbreak) over frequency than the access restriction request may be first placed in the buffer zone, therefore, total processing requests per second is above 20 + 5 queue; NoDelay ™, if provided, over the frequency and the buffer access can full, 503 will return to direct, if not set, all requests will wait in line.

• High point Nginx configuration
  above is a simple server security to limit access to configuration, it is relatively simple client browser -> access server system structure, the middle is not a variety of network configurations to accelerate (CDN) situation.
  In many cases, the ordinary user's browser -> 360 sites guards accelerate (CDN, 360 anti-CC, DOS * ) -> Ali Cloud Acceleration Server (built our own CDN, Ali cloud shield) -> source server ( PHP deployed here, iptables, nginx security configuration).
  The middle of the site has gone through several layers of transparent acceleration and security filtering, in this case, can not be used above the "normal configuration." "Source IP" address is no longer an ordinary user's IP, but the intermediate network to accelerate the server's IP address.
  So, to get the real client IP, you need
  X-Forwarded-For **: User IP, the proxy server IP ...
  After a multi-layer proxy, the user's real IP in the first place, will be back with a bunch of middle IP address of the proxy server, from here to get the user's real IP address, do limit for this IP address on it.
  Nginx configuration:

  #这里取得原始用户的IP地址
  map $http_x_forwarded_for  $clientRealIp {
      ""  $remote_addr;
      ~^(?P<firstAddr>[0-9\.]+),?.*$  $firstAddr;
  }
  
  # limit single IP 50 concurrent control，这里的$binary_remote_addr变成$clientRealIp，$clientRealIp为Key
  limit_conn_zone $clientRealIp zone=TotalConnLimitZone:20m ;
  limit_conn  TotalConnLimitZone  50;
  limit_conn_log_level notice;
  
  # limit single IP/s 20 Request，这里的$binary_remote_addr变成$clientRealIp，$clientRealIp为Key
  limit_req_zone $clientRealIp zone=ConnLimitZone:20m  rate=20r/s;
  limit_req_log_level notice;
  
  # 具体服务器配置
  server {
    listen   80;
    location ~ \.php$ {
  
      limit_req zone=ConnLimitZone burst=5 nodelay;
  
      fastcgi_pass   127.0.0.1:9000;
      fastcgi_index  index.php;
      include fastcgi_params;
  }   
  }

• Test
  Nginx configuration testing how to use Echo module. To see if there are local Nginx module, enter nginx -V command to see if there is no need to download additional compile and install the module.
  Here direct display configuration nginx

  server {
  listen   80;
      server_name  www.aaa.com;
  
      ## 当用户访问 /nginx-test 的时候，我们输出 $clientRealIp 变量，看看这个变量， 用户源IP 地址
      location /nginx-test {
              echo $clientRealIp;
      }
  }

  Visit our Web site then nginx-test, open after download with a text editor, you can see the client after the adoption of a multi-layer CDN, $ clientRealIp original user is still valid IP address.