Home > Article > Operation and Maintenance > How to configure Nginx server to prevent Flood attacks
Test
I will briefly tell you how to configure nginx's restricted request module and how it protects your website from being attacked by DDoS or other http-based Denial of service attack.
In this test, I saved the sample page in blitz.io (now a free service) and named it about.html to test the limit_req directive.
First, I saved it on blitz Use the following command to initiate 1075 concurrent requests and last for one minute. The response timeout is set to 2 minutes, the region is California, and all other states except status 200 are set to abnormal status. Even 503 is considered It was unsuccessful.
-p 1-1075:60 --status 200 -t 2000 -r california http://kbeezie.com/about.html
Ran Zhou defines these rules in the server:Copy the code The code is as follows:location = /about.html {
limit_req zone=blitz nodelay;
}
Then reload the nginx configuration and see the effect:
php Apply Request Limits
If you want to restrict all For PHP application limits, you can do this: Copy code The code is as follows:location ~ \.php { limit_req zone=flood;
include php_params.conf;
fastcgi_pass unix:/tmp/php5-fpm.sock;
}
Note:
It is difficult for me to implement a real high-traffic network or ddos (distributed denial of service attack). This is why the number of users we successfully access is not the same as ip Very large. Server load will also affect the number of visits or regions of test users. With the free version, the maximum number of concurrent users you can access is 50. Of course, you can spend $49 per day to allow 1,000 users to visit your website.
Better alternative
Without going into more details here, if you are serious about preventing DDoS or multi-service attacks from attacking your server, there are other great software tools like iptables (linux), pf (packet filter for bsd), or if your server provides hardware, you can use your hardware firewall. The above restriction module will only prevent flood attacks through http requests. It will not prevent ping packet flood attacks or other vulnerabilities. For these In this case, you can close unnecessary services and unnecessary ports to prevent others from breaking through.For example, the only ports my server exposes to the external network are http/https and ssh. Among services such as mysql Bind local connections. You can also set some common services to ports that are not commonly used so that they will not be sniffed (iptables/pf will help in this situation).The above is the detailed content of How to configure Nginx server to prevent Flood attacks. For more information, please follow other related articles on the PHP Chinese website!