How to prevent DDoS attacks after nginx reverse proxy-Nginx-php.cn

Home

Operation and Maintenance

Nginx

How to prevent DDoS attacks after nginx reverse proxy

(*-*)浩

Jul 15, 2019 am 11:14 AM

nginx

Defending against DDOS is a systematic project. There are many types of attacks, the cost of defense is high and there are many bottlenecks. Defense is passive and helpless. The characteristic of DDOS is that it is distributed and targets bandwidth and service attacks, that is, Layer 4 traffic attacks and Layer 7 application attacks. The corresponding defense bottleneck at Layer 4 is bandwidth, and at Layer 7 is the throughput of the architecture.

How to prevent DDoS attacks after nginx reverse proxy

1. Limit the number of requests per second

ngx_http_limit_req_module module uses the leaky bucket principle to limit the number of requests per unit time. Once If the number of requests per unit time exceeds the limit, a 503 error will be returned.

Configuration needs to be set in two places:

Define trigger conditions in the http section of nginx.conf, there can be multiple conditions

Define the action to be performed by nginx when the trigger condition is reached in the location

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; //触发条件，所有访问ip 限制每秒10个请求    ...
    server {        ...
        location  ~ \.php$ {
            limit_req zone=one burst=5 nodelay;   //执行的动作,通过zone名字对应
               }
           }
     }

Parameter description:

$binary_remote_addr Binary remote address

zone=one :10m Define the zone name as one, and allocate 10M memory to this zone to store sessions (binary remote address). 1m memory can save 16,000 sessions

rate=10r/s; Limit the frequency to 10 per second Requests

burst=5 The number of requests that exceed the frequency limit is allowed to be no more than 5. Assume that the number of requests in 1, 2, 3, and 4 seconds is 9 per second, then 15 requests in the 5th second are allowed. On the contrary, if there are 15 requests in the first second, 5 requests will be placed in the second second. Requests exceeding 10 in the second second will be directly 503, similar to the average rate limit in multiple seconds.

nodelay Requests exceeding the limit will not be delayed. After setting, 15 requests will be processed within 1 second.

2. Limit the number of IP connections

The configuration method and parameters of ngx_http_limit_conn_module are very similar to the http_limit_req module, with fewer parameters and much simpler

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m; //触发条件    ...
    server {        ...
        location /download/ {
            limit_conn addr 1;    // 限制同一时间内1个连接，超出的连接返回503
                }
           }
     }

3. Whitelist settings

http_limit_conn and http_limit_req modules limit the number of concurrency and requests per unit time of a single IP, but if there is a load balancing or reverse proxy such as lvs or haproxy in front of Nginx , all nginx obtains are connections or requests from load balancing. At this time, load balancing connections and requests should not be restricted. You need to set a whitelist for the geo and map modules:

geo $whiteiplist  {
        default 1;
        10.11.15.161 0;
    }
map $whiteiplist  $limit {
        1 $binary_remote_addr;
        0 "";
    }
limit_req_zone $limit zone=one:10m rate=10r/s;
limit_conn_zone $limit zone=addr:10m;

More Nginx related technical articles, Please visit the Nginx usage tutorial column to learn!

The above is the detailed content of How to prevent DDoS attacks after nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

The Advantages of NGINX: Speed, Efficiency, and ControlMay 12, 2025 am 12:13 AM

The reason why NGINX is popular is its advantages in speed, efficiency and control. 1) Speed: Adopt asynchronous and non-blocking processing, supports high concurrent connections, and has strong static file service capabilities. 2) Efficiency: Low memory usage and powerful load balancing function. 3) Control: Through flexible configuration file management behavior, modular design facilitates expansion.

NGINX vs. Apache: Community, Support, and ResourcesMay 11, 2025 am 12:19 AM

The differences between NGINX and Apache in terms of community, support and resources are as follows: 1. Although the NGINX community is small, it is active and professional, and official support provides advanced features and professional services through NGINXPlus. 2.Apache has a huge and active community, and official support is mainly provided through rich documentation and community resources.

NGINX Unit: An Introduction to the Application ServerMay 10, 2025 am 12:17 AM

NGINXUnit is an open source application server that supports a variety of programming languages and frameworks, such as Python, PHP, Java, Go, etc. 1. It supports dynamic configuration and can adjust application configuration without restarting the server. 2.NGINXUnit supports multi-language applications, simplifying the management of multi-language environments. 3. With configuration files, you can easily deploy and manage applications, such as running Python and PHP applications. 4. It also supports advanced configurations such as routing and load balancing to help manage and scale applications.

Using NGINX: Optimizing Website Performance and ReliabilityMay 09, 2025 am 12:19 AM

NGINX can improve website performance and reliability by: 1. Process static content as a web server; 2. forward requests as a reverse proxy server; 3. allocate requests as a load balancer; 4. Reduce backend pressure as a cache server. NGINX can significantly improve website performance through configuration optimizations such as enabling Gzip compression and adjusting connection pooling.

NGINX's Purpose: Serving Web Content and MoreMay 08, 2025 am 12:07 AM

NGINXserveswebcontentandactsasareverseproxy,loadbalancer,andmore.1)ItefficientlyservesstaticcontentlikeHTMLandimages.2)Itfunctionsasareverseproxyandloadbalancer,distributingtrafficacrossservers.3)NGINXenhancesperformancethroughcaching.4)Itofferssecur

NGINX Unit: Streamlining Application DeploymentMay 07, 2025 am 12:08 AM

NGINXUnit simplifies application deployment with dynamic configuration and multilingual support. 1) Dynamic configuration can be modified without restarting the server. 2) Supports multiple programming languages, such as Python, PHP, and Java. 3) Adopt asynchronous non-blocking I/O model to improve high concurrency processing performance.

NGINX's Impact: Web Servers and BeyondMay 06, 2025 am 12:05 AM

NGINX initially solved the C10K problem and has now developed into an all-rounder who handles load balancing, reverse proxying and API gateways. 1) It is well-known for event-driven and non-blocking architectures and is suitable for high concurrency. 2) NGINX can be used as an HTTP and reverse proxy server, supporting IMAP/POP3. 3) Its working principle is based on event-driven and asynchronous I/O models, improving performance. 4) Basic usage includes configuring virtual hosts and load balancing, and advanced usage involves complex load balancing and caching strategies. 5) Common errors include configuration syntax errors and permission issues, and debugging skills include using nginx-t command and stub_status module. 6) Performance optimization suggestions include adjusting worker parameters, using gzip compression and

Nginx Troubleshooting: Diagnosing and Resolving Common ErrorsMay 05, 2025 am 12:09 AM

Diagnosis and solutions for common errors of Nginx include: 1. View log files, 2. Adjust configuration files, 3. Optimize performance. By analyzing logs, adjusting timeout settings and optimizing cache and load balancing, errors such as 404, 502, 504 can be effectively resolved to improve website stability and performance.

See all articles