[转]配置Nginx参数来防DDOS

原创 飞翔线  2011-05-10 10:51  阅读 24人浏览 次
caohuan

系统环境:FreeBSD, network card: Intel fxp, port: 100Мбит, polling, http accept-filter.

in sysctl:

   

sysctl kern.maxfiles=90000
sysctl kern.maxfilesperproc=80000
sysctl net.inet.tcp.blackhole=2
sysctl net.inet.udp.blackhole=1
sysctl kern.polling.burst_max=1000
sysctl kern.polling.each_burst=50
sysctl kern.ipc.somaxconn=32768
sysctl net.inet.tcp.msl=3000
sysctl net.inet.tcp.maxtcptw=40960
sysctl net.inet.tcp.nolocaltimewait=1
sysctl net.inet.ip.portrange.first=1024
sysctl net.inet.ip.portrange.last=65535
sysctl net.inet.ip.portrange.randomized=0

in nginx configuration:

   

worker_processes 1;
worker_rlimit_nofile 80000;
events {
    worker_connections 50000;
}

server_tokens off;
log_format IP `$remote_addr';
reset_timedout_connection on;

listen  xx.xx.xx.xx:80  default rcvbuf=8192 sndbuf=16384 backlog=32000 accept_filter=httpready;

In the following way it is possible to realize filtration of url, in example for POST index.php?action=login which is with empty referral.

   

set $add 1;
location /index.php {
        limit_except GET POST {
             deny all;
    }
    set $ban "";
    if ($http_referer = "" ) {set $ban $ban$add;}
    if ($request_method = POST ) {set $ban $ban$add;}
    if ($query_string = "action=login" ){set $ban $ban$add;}
    if ($ban = 111 ) {
        access_log /var/log/[133]nginx/ban IP;
        return 404;
    }
    proxy_pass http://127.0.0.1:8000; #here is a patch
}

Further we cut it at pf level – loaded into IP table, hosts from which came too many hits. PF with tables works very quickly. Sources for parsing of logs (ddetect) you can find on http://www.comsys.com.ua/files Then Cron used once in a minute, to add into ip tables new IPs from a log. 25 Mbyte DDoS, which cuts IPs, the rests fall on nginx which by it is criterion pass IPs and the rests passed on the apache – LA 0, site works.

去打赏

您的支持将鼓励我们继续创作!

[微信] 扫描二维码打赏

[支付宝] 扫描二维码打赏

正在跳转到PayPal...
本文地址:http://caohuan.com/transfer-nginx-configuration-parameters-to-prevent-ddos.html
关注我们:请关注一下我们的微信公众号:扫描二维码飞翔线的公众号,公众号:aiboke112
版权声明:本文为原创文章,版权归 飞翔线 所有,欢迎分享本文,转载请保留出处!
caohuan
caohuan

评论已关闭!