Defending against DDOS is a systematic project. There are many types of attacks, the cost of defense is high and there are many bottlenecks. Defense is passive and helpless. The characteristic of DDOS is that it is distributed and targets bandwidth and service attacks, that is, Layer 4 traffic attacks and Layer 7 application attacks. The corresponding defense bottleneck at Layer 4 is bandwidth, and at Layer 7 is the throughput of the architecture.
1. Limit the number of requests per second
ngx_http_limit_req_module module uses the leaky bucket principle to limit the number of requests per unit time. Once If the number of requests per unit time exceeds the limit, a 503 error will be returned.
Configuration needs to be set in two places:
Define trigger conditions in the http section of nginx.conf, there can be multiple conditions
Define the action to be performed by nginx when the trigger condition is reached in the location
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; //触发条件,所有访问ip 限制每秒10个请求 ...
server { ...
location ~ \.php$ {
limit_req zone=one burst=5 nodelay; //执行的动作,通过zone名字对应
}
}
}
Parameter description:
$binary_remote_addr Binary remote address
zone=one :10m Define the zone name as one, and allocate 10M memory to this zone to store sessions (binary remote address). 1m memory can save 16,000 sessions
rate=10r/s; Limit the frequency to 10 per second Requests
burst=5 The number of requests that exceed the frequency limit is allowed to be no more than 5. Assume that the number of requests in 1, 2, 3, and 4 seconds is 9 per second, then 15 requests in the 5th second are allowed. On the contrary, if there are 15 requests in the first second, 5 requests will be placed in the second second. Requests exceeding 10 in the second second will be directly 503, similar to the average rate limit in multiple seconds.
nodelay Requests exceeding the limit will not be delayed. After setting, 15 requests will be processed within 1 second.
2. Limit the number of IP connections
The configuration method and parameters of ngx_http_limit_conn_module are very similar to the http_limit_req module, with fewer parameters and much simpler
http {
limit_conn_zone $binary_remote_addr zone=addr:10m; //触发条件 ...
server { ...
location /download/ {
limit_conn addr 1; // 限制同一时间内1个连接,超出的连接返回503
}
}
}
3. Whitelist settings
http_limit_conn and http_limit_req modules limit the number of concurrency and requests per unit time of a single IP, but if there is a load balancing or reverse proxy such as lvs or haproxy in front of Nginx , all nginx obtains are connections or requests from load balancing. At this time, load balancing connections and requests should not be restricted. You need to set a whitelist for the geo and map modules:
geo $whiteiplist {
default 1;
10.11.15.161 0;
}
map $whiteiplist $limit {
1 $binary_remote_addr;
0 "";
}
limit_req_zone $limit zone=one:10m rate=10r/s;
limit_conn_zone $limit zone=addr:10m;
More Nginx related technical articles, Please visit the Nginx usage tutorial column to learn!
The above is the detailed content of How to prevent DDoS attacks after nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!
nginx monitoring configuration fileApr 14, 2025 am 06:36 AMNginx Monitoring Configuration File: events block: Controls connection processing, such as concurrency and multi-receive mechanisms. http block: Configure access logs, error logs, and performance-related settings. server block: Defines the virtual host, including the listening port, host name, and root directory. location block: Used for request forwarding (such as proxy and FastCGI), as well as cache configuration. Monitoring module: ngx_http_stub_status_module provides server status information, ngx_http_server_tokens_module adds server header.
nginx listener port 80Apr 14, 2025 am 06:33 AMTo make nginx listen to port 80, you need to modify the listen instruction in the configuration file to listen 80, and check the user permissions to ensure that you have root permissions. Finally, reload nginx and verify that the listening port is correct.
nginx listens to forward different applications on the same portApr 14, 2025 am 06:30 AMNginx can be configured to listen to the same port and forward traffic to different applications based on request: create a virtual host configuration, specify the port and server name. Use the proxy_pass directive to set the forwarding target in the location block. Start a different application and make sure it is listening for incoming connections. Test the configuration, navigate to a different server name to verify traffic forwarding.
NGINX listens to domain names, not to listen to portsApr 14, 2025 am 06:21 AMIn order for NGINX to listen to domain names without listening to ports, it is necessary to configure it in the configuration file: 1. Configure the virtual host and specify the domain name to listen to; 2. Delete the default listening port; 3. Configure DNS resolution; 4. Restart NGINX. This way, NGINX will only listen to the domain name, improve security and enable SNI.
nginx listening ipv6Apr 14, 2025 am 06:18 AMTo make Nginx listen for IPv6 addresses, configure the listen directive in the server block configuration and specify the IPv6 address as a parameter. The specific steps include: opening the Nginx configuration file, adding the server block configuration, configuring the listen instruction to specify the IPv6 address, saving the changes and restarting Nginx. If the website uses SSL/TLS, you also need to configure an SSL certificate for the IPv6 address.
Lei Jun shares his New Year's wishes: deliver 300,000 cars and 100 check-in times in the gymApr 13, 2025 pm 11:54 PMAt the beginning of the new year, Lei Jun shared three New Year's wishes for 2025 at the beginning of the new year, and this four and a half hours-long live broadcast attracted a lot of attention. Lei Jun’s three major wishes are: First, achieve the delivery target of 300,000 vehicles, alleviate the pressure, and no longer be caught up by progress. Second, have more travel time, enjoy the beautiful scenery from all over the world, taste special food, and conduct car testing in combination with work. Third, stick to fitness and plan to check in 100 times in the gym to strengthen your body. Lei Jun admitted in the live broadcast that he traveled around in 2024, with a compact schedule, so he often only stayed for a short time, making it difficult to experience the local culture in depth. For example, at the New North Speedway in Germany, he stayed for only 8 hours. Therefore, in the new year, he hopes to be able to better balance work and life and travel
Annual reputation masterpiece! No.9 Company's micro-film 'Memory Travel' won many authoritative awardsApr 13, 2025 pm 11:51 PMThe micro-film "Memory Travel" created by No. 9 and brand spokesperson Yi Yang Qianxi won several authoritative media awards in 2024 and became a masterpiece of the year. This work has won high praise from the industry for its unique narrative style, exquisite production and sincere emotions. 2024 Awards and Honors: 2024 Gold Touch Global Business Innovation Award - Annual Film and Television Advertising 2024 China Advertising Marketing Award - Entertainment Marketing Group Silver Award 2024 Top Digital Innovation Marketing Award - Film and Television Production Gold Award 2024 Shanghai International Advertising Festival - Microfilm Silver Award 2024 The 11th China Innovation Communication Award - Integrated Marketing Silver Award WISE 2024 King of Business - Annual Case 31st China International Advertising Festival 2024 Digital Marketing Practical Big
Lead innovation and win another honor! AGON won the PConline2024 Zhizhen Technology AwardApr 13, 2025 pm 11:48 PMRecently, the PConline2024 Zhizhen Technology Award was officially announced, and AGON Aidong QD-OLED e-sports display AG326UD won the "Technical Innovation of the Year" award. This honor not only represents the industry's high recognition of its technological advantages and market performance, but also fully reflects AGON's innovative capabilities and outstanding achievements in the field of e-sports display technology. 01. Looking at the future of technology, the authoritative value of the PConline Zhizhen Technology Award is the weather vane of the technology industry. The PConline Zhizhen Technology Award has successfully won wide industry recognition with its rigorous evaluation system and in-depth industry analysis. The award has always been committed to commending outstanding products and brands that promote the development of the technology industry, covering technology
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SublimeText3 English version
Recommended: Win version, supports code prompts!
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SublimeText3 Chinese version
Chinese version, very easy to use
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
