Of Stack

Details on the configuration of Nginx to prevent traffic attacks

  • 2020-05-13 04:32:45
  • OfStack

Usage scenarios

Recently, I encountered a problem in my work. In the project, I reported that the configuration of load balancing cluster of the query system had been completed. The two implementations are session management policies based on Ehcache and Redis respectively.

Server resources limited is known to all, but the request of the client to is infinite (does not exclude the malicious attacks), in order to ensure that most of the request to the normal response, had to give up some of the request of the client to 1, so we will use a Nginx current limiting operation, the operation can greatly alleviate the pressure of the server, the other normal request can be a normal response.

How to use Nginx for basic current limiting, such as 50 accesses per second for a single IP. With the Nginx current limiting module, we can set the number of concurrent connections to 1 more than our setting, which will return 503 errors to the client. This can be very effective in preventing CC attacks. With the iptables firewall, CC attacks can basically be ignored. Here's a look at the details:

How to use

conf configuration 


# system 1 in http Configure in the domain 
# Limit the request 
limit_req_zone $binary_remote_addr $uri zone=api_read:20m rate=50r/s;
# According to the ip configuration 1 A connection  zone
limit_conn_zone $binary_remote_addr zone=perip_conn:10m;
# According to the server configuration 1 A connection  zone
limit_conn_zone $server_name zone=perserver_conn:100m;
server {
  listen  80;
  server_name report.52itstyle.com;
  index login.jsp;
  location / {
    # Request current limit queued through  burst The default is 0
    limit_req zone=api_read burst=5;
    # Connection limit , each IP The concurrent request is 2
    limit_conn perip_conn 2;
    # The number of connections the service limits ( That limits the server Number of concurrent connections )
    limit_conn perserver_conn 1000;
    # Connection speed limit 
    limit_rate 100k;
    proxy_pass  http://report;
  }
}
upstream report {
  fair;
  server 172.16.1.120:8882 weight=1 max_fails=2 fail_timeout=30s;
  server 172.16.1.120:8881 weight=1 max_fails=2 fail_timeout=30s;
}

Configuration 503 error

By default, if the limit is exceeded, a 503 error will be reported, indicating: 


503 Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. Sorry for the inconvenience.
Please report this message and include the following information to us.
Thank you very much!

This is fine, but it's not very friendly. Here we have a custom 503 error. 


error_page 500 502 503 504 /50x.html;
location = /50x.html {
 root html;# The custom 50X error 
}

Configuration instructions

limit_conn_zone

Is a container that defines one storage session state for each IP. In this example, a container of 100m is defined, which can handle 3200,000 session according to 32bytes/session.

limit_rate 300k;

The speed limit is 300k per connection. Note that the speed limit is for connections, not for IP. If one IP allows two concurrent connections, then this IP is the speed limit limit_rate×2.

burst=5;

This is equivalent to placing five seats next to the checkpoint req. If a request is stopped over the speed limit, ask him to sit in an empty seat and wait in line. If the checkpoint is empty, he can pass. If even the seats are full, then sorry, request directly back, the client gets a busy response from a server. Therefore, burst has nothing to do with request_rate1, and is set to 10000, which means that 10,000 requests can wait in line, while the checkpoint still allows 5 requests per second (slow speed). Moreover, it cannot queue directly at 1, so nginx also sets a timeout. If the queue exceeds 1 set time, it will also directly return to the busy response of the server.

The above configuration Nginx requires the following modules to be configured: 


ngx_http_limit_conn_module (static)
ngx_http_limit_req_module (static)

Execute the command nginx -V You can check to see if there is an installation.

conclusion

Related articles: