Home  >  Article  >  Operation and Maintenance  >  How to use Nginx to restrict various malicious accesses

How to use Nginx to restrict various malicious accesses

王林
王林Original
2023-06-10 12:04:461769browse

As the development of the Internet continues to accelerate, there are more and more malicious access attacks. In order to ensure the security of our systems and data, we need to find an efficient way to restrict various malicious accesses. Here, I will introduce to you how to use Nginx to restrict various malicious access methods.

Nginx is a high-performance web server that can not only handle a large number of concurrent requests, but also achieve a variety of functions by using various plug-ins and modules. One of the important functions is to limit malicious access attacks. Here's how to implement this feature using Nginx: Send any request to the server. In this case, without any restrictions, the server may be subject to a large number of requests, even from malicious attackers, causing the server to be overloaded and eventually crash. To prevent this from happening, we need to set HTTP request limits on the server.

    By using Nginx modules, we can easily configure HTTP request limits. First, install the HttpLimitReq module on the Nginx server. Then, edit the Nginx configuration file and add the following code:
  1. http {
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s;

server {
    limit_req zone=mylimit burst=10 nodelay;
}

}

The above code implements requests from the same IP address. Limitations: Only one request is allowed per second, and the maximum burst size allowed is 10 requests.

IP address access restrictions

Malicious attackers may use a large number of IP addresses to attack our server, for example by using a large number of proxy servers or using a large number of computers to carry out DDoS attacks. To limit this attack, we need to implement IP address access restrictions.

    By using Nginx's HttpAccess module, we can easily implement IP address access restrictions. For example, we can add the following code:
  1. http {
deny 192.168.1.1;

allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;

location / {
    deny all;
    # ...
}

}

In the above code, we restrict access to the IP address 192.168.1.1, while allowing Access with IP addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

User-Agent access restrictions

User-Agent is a field in the HTTP protocol that indicates the type, version and operating system of the browser or other client. Malicious attackers may gain access to our servers by forging User-Agents. To limit this attack, we need to implement User-Agent access restrictions.

    By using Nginx's HttpMap module, we can easily implement User-Agent access restrictions. For example, we can add the following code:
  1. http {
map $http_user_agent $limit_user_agent {
    default    0;
    ~*bot     1;
    ~*spider  1;
    ~*crawler 1;
}

limit_conn_zone $binary_remote_addr zone=mylimit:10m;

server {
    if ($limit_user_agent) {
        return 503;
    }

    limit_conn mylimit 1;
}

}

In the above code, we define a mapping called $limit_user_agent that will User- Agent matches whether it is a crawler or robot in the variable $limit_user_agent. If so, a 503 error is returned, indicating that the server is busy, otherwise access is allowed.

The above is a method to restrict various malicious accesses by using Nginx. The combination of different restriction methods can better protect the security of our servers. At the same time, we also need to pay attention to timely updating various components and software of the server, as well as some protective measures, such as installing firewalls, disabling unnecessary services, etc., to ensure that our servers always maintain the best security status.

The above is the detailed content of How to use Nginx to restrict various malicious accesses. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn