如何使用Nginx防御DDOS和CC攻击

来自:互联网
时间:2020-03-18
阅读:

刚刚把博客更换了新的服务器,既然调整就一次到位,把Nginx防御DDOS和CC也加上。

加载HTTP段

##
    #  基础配置
    ##
    keepalive_timeout    10;
    server_tokens off;
    types_hash_max_size  2048;
    ##
    # 主要配置
    ##
    sendfile     on;
    tcp_nopush   on;
    tcp_nodelay  on;
    open_file_cache            max=50000  inactive=20s; 
    open_file_cache_valid      30s; 
    open_file_cache_min_uses   2;
    open_file_cache_errors     on;
    reset_timedout_connection  on;
    client_body_timeout        10;
    send_timeout               2;
    ##
    # DDoS 和 CC 防御配置,主要是限制链接数,详细:http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
    ##
    client_body_buffer_size      128k;
    large_client_header_buffers  4 32k;
    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    client_max_body_size 50m;

    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;
    limit_conn conn_limit_per_ip 20;
    limit_req zone=req_limit_per_ip burst=20;


完整的nginx配置文件
[root@affdalao ~]# cat /etc/nginx/nginx.conf 
user  nobody;
worker_processes  auto;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;
worker_rlimit_nofile 1024;


events {
    use epoll;
    worker_connections  1024;
    multi_accept on;

}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  mAIn  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    
    ##
    # 基础配置
    ##
    keepalive_timeout    10;
    server_tokens off;
    types_hash_max_size  2048;
    ##
    # 主要配置
    ##
    sendfile     on;
    tcp_nopush   on;
    tcp_nodelay  on;
    open_file_cache            max=50000  inactive=20s; 
    open_file_cache_valid      30s; 
    open_file_cache_min_uses   2;
    open_file_cache_errors     on;
    reset_timedout_connection  on;
    client_body_timeout        10;
    send_timeout               2;
    ##
    # DDoS 和 CC 防御配置,主要是限制链接数,详细:http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
    ##
    client_body_buffer_size      128k;
    large_client_header_buffers  4 32k;
    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    client_max_body_size 50m;

    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;
    limit_conn conn_limit_per_ip 20;
    limit_req zone=req_limit_per_ip burst=20;

    fastcgi_connect_timeout 300; #如果你不使用FastCGI,请用井号注释该段每一行
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;

    gzip on; #如果你不使用GZip,请用井号注释该段每一行
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.0;
    gzip_comp_level 2;
    gzip_types       text/plain application/JavaScript text/CSS application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
    gzip_vary off;
    gzip_proxied        expired no-cache no-store private auth;
    gzip_disable        "MSIE [1-6].";

    include /etc/nginx/conf.d/*.conf;
}
返回顶部
顶部