The website nginx configuration limits the access frequency of a single IP to prevent DDOS malicious attacks

Posted by fredted40x on Fri, 21 Jan 2022 00:55:11 +0100

1, Introduction

For websites, especially famous websites with large traffic, they often encounter attacks, such as DDOS attacks. Although some third parties, such as Cloudflare, can block them, for dynamic websites, PHP can only block some. At this time, it is necessary to limit the flow of a single IP malicious attack. Two modules of nginx can limit current.

nginx two current limiting modules:
Connection frequency limit, ngx_http_limit_conn_module: Official documents
Request frequency limit, ngx_http_limit_req_module: Official documents

2, Differences between the two modules

First, understand the request and connection. HTTP requests are based on one TCP connection, and one TCP connection generates at least one HTTP request (one or more times)

There are many online theories. According to the name:

  • Connection is a complete state machine established through three handshakes, which is often called tcp connection. To establish a connection, you must shake hands three times.
  • Request refers to request, that is, http request. tcp connection is stateful, while http built on tcp is a stateless protocol.

Of course, if you still can't understand it, speak it in layman's terms (compared with time):

  • limit_req_zone, which limits how many requests a single IP can send per second or per minute in a limited time. Don't pay attention to any more.
  • limit_conn_zone, unlimited time, only allows multiple connections of a single IP, or called concurrency. For example, when setting 10 connections and the 11th connection, the connection can only be allowed after the previous one has been completed or released.

For example, second kill, rush purchase, connection frequency limit and request frequency limit should be used together. Use the connection frequency limit to limit that there can only be three connections at the same time for the same IP, and then use the request frequency limit. For requests of the same IP, limit the average rate to 5 requests / s, which is much better than using only one limit alone.

For example, only using the request frequency limit can accurately limit that the same ip1 second can only initiate 5 http requests. If 100000 requests are initiated in the same ip1 second, although only 5 successful responses are limited, will other 99995 requests TCP handshake establish http connections consume server resources? Therefore, it needs to be used together.

3, Disposition

1,limit_req_zone, example:

http{
    limit_req_zone $binary_remote_addr zone=allips:10m rate=20r/s;
    #Define a limit called allips_ req_ The zone is used to store session s, with a size of 10M memory,
    #In $binary_remote_addr is the key, limiting the average number of requests per second to 20,
    #1M can store 16000 States, and the value of rete must be an integer,
    #If one request is limited to two seconds, it can be set to 30r/m
    server{
        location / {
            #It is limited to no more than 20 requests per second per ip, and the number of leaky buckets is burst 5
            #brust means that if there are 19 requests in the 1st, 2nd, 3rd and 4th seconds,
            #25 requests in the fifth second are allowed.
            #However, if you have 25 requests in the first second and more than 20 requests in the second second second, 503 error will be returned.
            #nodelay. If this option is not set, the average rate is strictly used to limit the number of requests,
            #When there are 25 requests in the first second, 5 requests are executed in the second second second,
            #Set nodelay, and 25 requests will be executed in the first second.
            limit_req zone=allips burst=5 nodelay;
        }
    }
}

2,limit_conn_zone, example:

http { 
    limit_conn_zone $binary_remote_addr zone=addr: 10m; 
    #Define a limit called addr_ req_ The zone is used to store session s, with a size of 10M memory,
    #In $binary_remote_addr is key 
    #Limit after nginx 1.18_ conn_ Zone replaces limit_conn,
    #And can only be placed in the http {} code segment
    server { 
        location / { 
            limit_conn addr 10;   #Connection limit, concurrency
            #Sets the shared memory area for the given key value and the maximum number of connections allowed. When this limit is exceeded, the server will return 503 (service temporarily unavailable) error
       #If the area storage space is insufficient, the server will return 503 (service temporarily unavailable) error
        }
    }
} 

3. Use together

http {
    ...
    ...
    limit_req_zone $binary_remote_addr zone=req_zone:1m rate=20r/s;
    #Limit connection request settings, access memory 10M, all access ip limit 10 requests per second
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    #Restrict connection IP settings
    ...
    ...
    server {
        listen       80;
        server_name  ywbj.cc;
        location / {
            ...
            
            limit_req zone=req_zone burst=5 nodelay;
            limit_conn addr 5;
            
           	...
        }
    }
}

4, Pressure test tool

1. ab command

ab is apache's own stress testing tool. Generally, there is no need for additional installation. ab is very practical. It can not only carry out website access stress test on apache servers, but also carry out stress test on or other types of servers. Such as nginx, tomcat, IIS, etc.

Test command

ab -c 10 -n 100 https://ywbj.cc/
#-c10 indicates that the number of concurrent users is 10
#-n100 indicates that the total number of requests is 100

2. wrk command

Install by yourself, address: https://github.com/wg/wrk

install

git clone git@github.com:wg/wrk.git
#Or download and unzip it yourself
cd wrk
#Enter directory
make
#After compiling make, you can use the wrk command in the directory. First install make and unzip these tools.

Test command:

wrk -t12 -c100 -d30s https://ywbj.cc
#12 threads, 100 connections, 30s time

There are other pressure measuring tools to study by ourselves

Topics: Linux Operation & Maintenance network Nginx server