首页 > nginx > 转老外一篇NGINX 防DDOS配置

转老外一篇NGINX 防DDOS配置

2011年1月19日 eric 发表评论 阅读评论

FreeBSD, network card: Intel fxp, port: 100Мбит, polling, http accept-filter.
in sysctl:

sysctl kern.maxfiles=90000
           sysctl kern.maxfilesperproc=80000
           sysctl net.inet.tcp.blackhole=2
           sysctl net.inet.udp.blackhole=1
           sysctl kern.polling.burst_max=1000
           sysctl kern.polling.each_burst=50
           sysctl kern.ipc.somaxconn=32768
           sysctl net.inet.tcp.msl=3000
           sysctl net.inet.tcp.maxtcptw=40960
           sysctl net.inet.tcp.nolocaltimewait=1
           sysctl net.inet.ip.portrange.first=1024
           sysctl net.inet.ip.portrange.last=65535
           sysctl net.inet.ip.portrange.randomized=0

in nginx configuration:

  worker_processes 1;
           worker_rlimit_nofile 80000;
           events {
               worker_connections 50000;
           }

           server_tokens off;
           log_format IP `$remote_addr';
           reset_timedout_connection on;

           listen  xx.xx.xx.xx:80  default rcvbuf=8192 sndbuf=16384 backlog=32000 accept_filter=httpready;
 

In the following way it is possible to realize filtration of url, in example for POST
index.php?action=login which is with empty referral.

   set $add 1;
           location /index.php {
                   limit_except GET POST {
                        deny all;
               }
               set $ban "";
               if ($http_referer = "" ) {set $ban $ban$add;}
               if ($request_method = POST ) {set $ban $ban$add;}
               if ($query_string = "action=login" ){set $ban $ban$add;}
               if ($ban = 111 ) {
                   access_log /var/log/[133]nginx/ban IP;
                   return 404;
               }
               proxy_pass http://127.0.0.1:8000; #here is a patch
           }
 

Further we cut it at pf level – loaded into IP table, hosts from which came too many hits.
PF with tables works very quickly. Sources for parsing of logs (ddetect) you can find on http://www.comsys.com.ua/files
Then Cron used once in a minute, to add into ip tables new IPs from a log.
25 Mbyte DDoS, which cuts IPs, the rests fall on nginx which by it is criterion pass IPs and the rests passed on the apache – LA 0, site works.

转载请注明:文章转载自:Eric's linux and nginx! (http://www.nginxs.com)
本文地址:http://www.nginxs.com/linux/433.html

分类: nginx 标签: , ,
  1. 2011年10月26日16:09 | #1

    sysctl net.inet.ip.portrange.first=1024
    ========================
    从1024开始占用,也忒狠了点吧。监听3306,5432,10024这些端口的程序表示有压力

您必须在 登录 后才能发布评论.