Nginx access restriction configuration to prevent malicious access and crawler attacks

Nginx access restriction configuration to prevent malicious access and crawler attacks

Introduction:
In today's Internet era, malicious access and crawler attacks have become a great security threat. As a high-performance web server and reverse proxy server, Nginx can restrict access through some configurations to protect the website from these attacks. This article will introduce some commonly used Nginx access restriction configurations, with code examples.

1. IP blacklist and whitelist restrictions

1. IP blacklist restrictions
   If you want to restrict access to a certain IP address, you can use the ngx_http_access_module module that comes with Nginx.

http {
    # 创建一个blacklist.conf文件来存储黑名单的IP地址
    include blacklist.conf;
    server {
        location / {
            # 在这里设置黑名单的访问规则
            deny 192.168.1.100;
            deny 192.168.1.0/24;
            deny 10.0.0.0/8;
            # 其他配置...
        }
    }
}

The above configuration is simple and clear. You can use deny directly in the location block to deny access to the specified IP address or IP address range.

2. IP whitelist restrictions
   Contrary to the IP blacklist, if you want to only allow access to certain IP addresses and deny other IP addresses, you can use the allow command.

http {
    # 创建一个whitelist.conf文件来存储白名单的IP地址
    include whitelist.conf;
    server {
        location / {
            # 在这里设置白名单的访问规则
            allow 192.168.1.100;
            allow 192.168.1.0/24;
            allow 10.0.0.0/8;
            # 最后拒绝所有其他访问
            deny all;
            # 其他配置...
        }
    }
}

In the above configuration, use the allow command to allow access to the specified IP address or IP address range, and deny all to deny access to all other IP addresses.

2. User-Agent restriction
Some crawler attacks will use fake User-Agent to access, so we can prevent such attacks by restricting User-Agent.

http {
    server {
        location / {
            # 在这里设置拒绝某些特定User-Agent的访问
            if ($http_user_agent ~* (curl|wget) ) {
                return 403;
            }
            # 其他配置...
        }
    }
}

In the above configuration, use the if command plus a regular expression to match a specific User-Agent, and then use the return command to return 403 Forbidden.
In this way, requests to try to access the website using tools such as curl or wget will be rejected.

3. Frequency Limitation
In order to prevent DDoS attacks and brute force cracking, you can set access frequency limits.

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=2r/s;
    server {
        location / {
            # 在这里设置访问频率限制
            limit_req zone=one burst=10 nodelay;
            # 其他配置...
        }
    }
}

In the above configuration, use the limit_req_zone command to create a memory area to store IP addresses. The name is one, the size is 10m, and the access frequency is set to 2r/s. Then use the limit_req command in the location block to limit the frequency. The burst parameter indicates the buffer size when access is exceeded, and nodelay indicates that the request should be processed immediately.

Summary:
Through the above configuration examples of IP black and white list restrictions, User-Agent restrictions and frequency restrictions, we can effectively prevent malicious access and crawler attacks. Of course, the specific configuration can be adjusted according to actual needs. Finally, I hope the above content can be helpful to your Nginx access restriction configuration.

The above is the detailed content of Nginx access restriction configuration to prevent malicious access and crawler attacks. For more information, please follow other related articles on the PHP Chinese website!