Nginx Security Access Configuration

Keywords: Linux Nginx PHP network iptables

Website System Security Configuration (Nginx) prevents websites from being malicious GJ s.Websites such as DDos, CC, etc.They all work the same way, sending large amounts of request data to the server.

  • Nginx Active Defense Method
    There are two modules in Nginx that control the "number" and "speed" of accessing user connections.Namely
    HttpLimitZoneModule: Limit concurrent connections access control
    HttpLimitReqModule: Restrict access to data, maximum number of requests per second
    The above two module configurations are easy to affect the normal access of the system business, the maximum number of visits per second, and concurrent access control, which can not be set too dead, or both can be executed without amnesty, and all normal customer requests will be blocked out.
  • Normal configuration for Nginx
    Configuration in http module

    # User's IP address, $binary_remote_addr, as Key, has a maximum of 50 concurrent connections per IP address
    # How many thousand connections do you want to brush me to death?Over 50 connections, directly returning 503 errors to you, do not process your request at all
    # limit single IP 50 concurrent control
    limit_conn_zone $binary_remote_addr zone=TotalConnLimitZone:20m ;
    limit_conn  TotalConnLimitZone  50;
    limit_conn_log_level notice;
    
    # User's IP address, $binary_remote_addr, acts as the Key, and each IP address handles 20 requests per second
    # You want to use the program to brush me hundreds of times per second, no more, no faster to process, directly return to 503 error for you
    # limit single IP/s 20 Request
    limit_req_zone $binary_remote_addr zone=ConnLimitZone:20m  rate=20r/s;
    limit_req_log_level notice;

    Where "limit_conn_zone $binary_remote_addr zone=TotalConnLimitZone:20m;" means that a storage area named TotalConnLimitZone is defined with a size of 20M."limit_req_log_level notice;" defines the log level.
    Where "limit_req_zone $binary_remote_addr zone=ConnLimitZone:20m rate=25r/s;" means to define a storage area named ConnLimitZone whose content is a remote IP address, the ConnLimitZone size is 20M, and the average request rate in ConnLimitZone is 20 requests per second; "limit_req_log_level notice"; defines the log level.
    The above configuration applies to the server module

    ...
    location  /abc/ {
            limit_req zone=ConnLimitZone burst=5 nodelay;
            proxy_pass http://abc_pool/;
        }
    ...

    Where "zone=ConnLimitZone" sets which configuration zone to use to restrict, corresponding to the name of limit_req_zone above; burst=5, meaning burst outbreak, means to set a buffer of size 5 in which requests exceeding the access frequency limit can be placed first when a large number of requests come in, so the total processing per secondThe request is 20 + 5 queues above; nodelay, if set, exceeds access frequency and the buffer is full, returns 503 directly, if not set, all requests are queued.

  • Advanced configuration for Nginx
    The above is a simple server security restricted access configuration, which is configured in a simpler client browser --> system server access structure, without various network acceleration (CDN).
    In many cases, it is common user browser -> 360 website guard acceleration (CDN, 360 anti-CC,DOS*) - > Ali cloud acceleration server (our own CNN, Ali cloud shield) - > Source server (where PHP programs are deployed, iptables, nginx security configuration).
    There are several layers of transparent acceleration and security filtering going through between websites, in which case you can't use the "normal configuration" above.The Source IP address is no longer the IP address of the normal user, but the IP address of the intermediate network acceleration server.
    So to get real client IP, you need
    X-Forwarded-For**: User IP, Proxy IP...
    After multilayer proxy, the user's true IP is in the first place, followed by a series of intermediate proxy server IP addresses, from which the user's true IP address is retrieved, and restrictions are made on this IP address.
    Nginx configuration:

    #Get the original user's IP address here
    map $http_x_forwarded_for  $clientRealIp {
        ""  $remote_addr;
        ~^(?P<firstAddr>[0-9\.]+),?.*$  $firstAddr;
    }
    
    # limit single IP 50 concurrent control, where $binary_remote_addr becomes $clientRealIp, $clientRealIp is Key
    limit_conn_zone $clientRealIp zone=TotalConnLimitZone:20m ;
    limit_conn  TotalConnLimitZone  50;
    limit_conn_log_level notice;
    
    # limit single IP/s 20 Request, where $binary_remote_addr becomes $clientRealIp, $clientRealIp is Key
    limit_req_zone $clientRealIp zone=ConnLimitZone:20m  rate=20r/s;
    limit_req_log_level notice;
    
    # Specific server configuration
    server {
      listen   80;
      location ~ \.php$ {
    
        limit_req zone=ConnLimitZone burst=5 nodelay;
    
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        include fastcgi_params;
    }   
    }
  • test
    Nginx configuration how to test, using the Echo module.To see if the module is available locally, type the nginx-V command to see if it is available, and if not, download the module for compilation and installation.
    This shows the nginx configuration directly

    server {
    listen   80;
        server_name  www.aaa.com;
    
        ## When the user accesses/nginx-test, we output the $clientRealIp variable and look at this variable, User Source IP Address
        location /nginx-test {
                echo $clientRealIp;
        }
    }

    Visit the web address followed by nginx-test, download it and open it with a text compiler. You can see that after the client has passed through the multi-layer CDN, $clientRealIp is still a valid original user IP address.

Posted by cdjaco on Tue, 17 Mar 2020 12:28:51 -0700