ÌÖÂÛNginxЧÀÍÆ÷µÄ·´ÅÀ³æºÍ·´DDoS¹¥»÷Õ½ÂÔ
NginxЧÀÍÆ÷ÊÇÒ»¸ö¸ßÐÔÄܵÄWebЧÀÍÆ÷ºÍ·´ÏòÊðÀíЧÀÍÆ÷£¬¾ßÓÐÇ¿Ê¢µÄ·´ÅÀ³æºÍ·´DDoS¹¥»÷ÄÜÁ¦¡£±¾ÎĽ«ÌÖÂÛNginxЧÀÍÆ÷µÄ·´ÅÀ³æºÍ·´DDoS¹¥»÷Õ½ÂÔ£¬²¢¸ø³öÏà¹ØµÄ´úÂëʾÀý¡£
Ò»¡¢·´ÅÀ³æÕ½ÂÔ
ÅÀ³æÊÇÒ»ÖÖ×Ô¶¯»¯³ÌÐò£¬ÓÃÓÚ´Ó»¥ÁªÍøÉÏÍøÂçÌض¨ÍøÕ¾µÄÊý¾Ý¡£ÓÐЩÅÀ³æ³ÌÐò»á¸øÍøÕ¾´øÀ´ºÜ´óµÄ¼ç¸º£¬ÑÏÖØÓ°ÏìÍøÕ¾µÄÕý³£ÔËÐС£Nginx¿ÉÒÔͨ¹ýÒÔÏÂÕ½ÂÔÀ´±ÜÃâÅÀ³æµÄ¶ñÒâÐÐΪ£º
User-Agent¹ýÂË
ÅÀ³æ³ÌÐòͨ³£»áʹÓÃÌض¨µÄUser-Agent×Ö·û´®À´±êʶ×Ô¼º¡£Í¨¹ýÔÚNginxµÄÉèÖÃÎļþÖÐÌí¼ÓÒÔÏ´úÂ룬¿ÉÒÔեȡ»á¼ûijЩUser-Agent£º
if ($http_user_agent ~* (Baiduspider|Googlebot|Yandex)) { return 403; }
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂë»áեȡ°Ù¶ÈÖ©Öë¡¢¹È¸èÅÀ³æºÍYandexÅÀ³æµÄ»á¼û¡£
IP»á¼ûƵÂÊÏÞÖÆ
ͨ¹ýÉèÖÃNginxµÄngx_http_limit_req_moduleÄ£¿é£¬¿ÉÒÔ¶ÔIPµØµãµÄ»á¼ûƵÂʾÙÐÐÏÞÖÆ¡£ÒÔÏÂÊÇÒ»¸ö´úÂëʾÀý£º
http { limit_req_zone $binary_remote_addr zone=one:10m rate=100r/m; server { location / { limit_req zone=one burst=20 nodelay; ... } } }
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂë»á¶Ôÿ¸öIPµØµãÏÞÖÆÿ·ÖÖÓ×î¶àÄÜ»á¼û100´Î£¬Áè¼ÝÏÞÖƵÄÇëÇó»á±»ÑÓ³Ù»ò¾Ü¾ø¡£
¶þ¡¢·´DDoS¹¥»÷Õ½ÂÔ
ÂþÑÜʽ¾Ü¾øЧÀÍ£¨DDoS£©¹¥»÷ÊÇͨ¹ý´ó×ڵĶñÒâÁ÷Á¿Ê¹Ä¿µÄЧÀÍÆ÷¹ýÔØ¡£Nginx¿ÉÒÔ½ÓÄÉÒÔÏÂÕ½ÂÔÀ´µÖÓùDDoS¹¥»÷£º
ÅþÁ¬ÊýÏÞÖÆ
ÉèÖÃNginxµÄngx_http_limit_conn_moduleÄ£¿é£¬¿ÉÒÔÏÞÖÆÿ¸öIPµØµãµÄͬʱÅþÁ¬Êý¡£ÒÔÏÂÊÇÒ»¸ö´úÂëʾÀý£º
http { limit_conn_zone $binary_remote_addr zone=concurrent:10m; server { location / { limit_conn concurrent 50; ... } } }
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂë»áÏÞÖÆÿ¸öIPµØµã×î¶àÄÜͬʱ½¨Éè50¸öÅþÁ¬¡£
ÇëÇ󳤶ÈÏÞÖÆ
ͨ¹ýÉèÖÃNginxµÄclient_body_buffer_sizeºÍclient_max_body_size²ÎÊý£¬¿ÉÒÔÏÞÖÆÇëÇóµÄ³¤¶È£¬±ÜÃâ¶ñÒâÇëÇóµ¼ÖÂЧÀÍÆ÷Òç³ö¡£ÒÔÏÂÊÇÒ»¸ö´úÂëʾÀý£º
http { client_body_buffer_size 10K; client_max_body_size 10m; server { location / { ... } } }
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂë»áÏÞÖÆÇëÇóµÄÌå»ý²»Áè¼Ý10MB¡£
×ÛÉÏËùÊö£¬NginxЧÀÍÓþßÓÐÇ¿Ê¢µÄ·´ÅÀ³æºÍ·´DDoS¹¥»÷ÄÜÁ¦¡£Í¨¹ýUser-Agent¹ýÂË¡¢IP»á¼ûƵÂÊÏÞÖÆ¡¢ÅþÁ¬ÊýÏÞÖƺÍÇëÇ󳤶ÈÏÞÖƵÈÕ½ÂÔ£¬¿ÉÒÔÓÐÓõØÑÚ»¤Ð§ÀÍÆ÷ÃâÊÜÅÀ³æºÍDDoS¹¥»÷µÄÓ°Ïì¡£
ÒÔÉϾÍÊÇÌÖÂÛNginxЧÀÍÆ÷µÄ·´ÅÀ³æºÍ·´DDoS¹¥»÷Õ½ÂÔµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡