The Nginx server restricts access to IP in all cases
- 2020-05-14 05:33:23
- OfStack
Limit the number of times an IP can be accessed in the same time period
How to set up a way to limit the number of times you can access an IP at a certain time period is a headache, especially in the face of a malicious ddos attack. Among them, CC attack (Challenge Collapsar) is one kind of DDOS (distributed denial of service), and it is also a common website attack method. The attacker constantly sends a large number of data packets to the victim host through proxy server or chicken, causing the other server to run out of resources until 1.
cc attack 1 generally USES a limited number of ip to frequently send data to the server to achieve the purpose of attack. nginx can prevent cc attack by limiting the access times of ip in the same time period through HttpLimitReqModul and HttpLimitZoneModule configuration.
A module used to limit the number of connections per unit of time, HttpLimitReqModul is used in conjunction with the limit_req_zone and limit_req instructions to achieve this limit. A 503 error is returned when more than a specified number of concurrent connections are made.
HttpLimitConnModul is used to limit the number of concurrent connections for a single ip, using the limit_zone and limit_conn directives
The difference between the two modules is that the first one is the limit on the number of connections in a period of time, and the second one is the limit on the number of connections in the same period of time
HttpLimitReqModul restricts access to a number of instances with 1ip for a certain period of time
http{
...
# define 1 called allips the limit_req_zone Used to store session , the size is 10M Memory,
# In order to $binary_remote_addr for key, Limit the average request per second to 20 A,
#1M It can store 16000 A state, rete Must be an integer,
# If you limit it to two seconds 1 Can be set to 30r/m
limit_req_zone $binary_remote_addr zone=allips:10m rate=20r/s;
...
server{
...
location {
...
# Limiting each ip Not exceeding per second 20 Four requests, number of barrels missed burst for 5
#brust I mean, if I have no 1 Second, 2,3,4 A second request for 19 A,
# The first 5 The second request is 25 One is allowed.
# But if you do 1 seconds 25 One request, one 2 Seconds more than 20 Request return 503 Error.
#nodelay , if this option is not set and the average rate is strictly used to limit the number of requests,
# The first 1 seconds 25 When I make a request, 5 Put the request in the first 2 Second,
# Set up the nodelay . 25 The request will be in the first 1 Second is carried out.
limit_req zone=allips burst=5 nodelay;
...
}
...
}
...
}
HttpLimitZoneModule limits the number of instances of concurrent connections
limit_zone can only be defined in the http scope, and limit_conn can be defined in the http server location scope
http{
...
# define 1 called one the limit_zone, The size of the 10M Memory to store session .
# In order to $binary_remote_addr for key
#nginx 1.18 After use limit_conn_zone To replace the limit_conn
# And it can only be placed http scope
limit_conn_zone one $binary_remote_addr 10m;
...
server{
...
location {
...
limit_conn one 20; # Connection limit
# Bandwidth limitations , The limit for a single connection, if 1 a ip Two connections 500x2k
limit_rate 500k;
...
}
...
}
...
}
The server is all limited IP
#vi nginx.conf
allow 10.57.22.172;
deny all;
Specify IP access restrictions for directories
Implement key
The use of () and | in regular expressions, () represents 1 principle, and | represents or
In the nginx location matching rule, there is a regular match in the order of files (ps: you can place the directory to be matched at the beginning of the server module).
The use of allow and deny
The sample
The directory structure
The root directory /srv/
test1 / -- hello.php
test2/ -- hello.php
test3/ -- hello.php
test4/ -- {hello.php,1.php,2.php}
Access requirements
For the test1 and test2 directories, only the specified 192.168.1.101ip address is allowed to access, and no other ip access is allowed
For php programs in other directories, all ip addresses are accessible
Implement the nginx configuration file
# The specified directory is whitelist accessible
location ~ ^/(test1|test2)/ {
allow 192.168.1.101;
deny all;
root /srv/;
fastcgi_param HTTPS on;
include /etc/nginx/fastcgi_params;
fastcgi_pass php5_fpm;
}
# proxy the PHP scripts to fpm
location ~ \.php$ {
root /srv/;
fastcgi_param HTTPS on;
include /etc/nginx/fastcgi_params;
fastcgi_pass php5_fpm;
}
Matters needing attention:
1. deny 1 must be added with one ip; otherwise, it will jump directly to 403 and not be executed. If the default page of 403 is under the same domain name, it will cause an endless cycle of access.
2. ip segment of allow
Order from small to large from the accessible bits, such as 127.0.0.0/24, to 10.10.0.0/16
24 represents the subnet mask :255.255.255.0
16 represents the subnet mask :255.255.0.0
8 represents the subnet mask :255.0.0.0
3. deny all; The ending indicates that everything except allow above is prohibited
Such as:
deny 192.168.1.1; allow 127.0.0.0/24; allo w 192.168.0.0/16; allow 10.10.0.0/16; deny all;