4 messages in ru.sysoev.nginxRe: Denial of service prevention| From | Sent On | Attachments |
|---|---|---|
| Shark Fin Soup | Feb 22, 2007 8:41 pm | |
| Igor Sysoev | Feb 22, 2007 10:08 pm | |
| Shark Fin Soup | Feb 23, 2007 12:11 am | |
| Igor Sysoev | Feb 23, 2007 3:51 am |
| Subject: | Re: Denial of service prevention | |
|---|---|---|
| From: | Shark Fin Soup (shar...@public.gmane.org) | |
| Date: | Feb 23, 2007 12:11:37 am | |
| List: | ru.sysoev.nginx | |
Dear Igor,
This is my config file. How would I use that feature. I tried it last week and could not get it to work. My config file is not very straight forward. I want to make sure that I cannot receive more than 10 concurrent connections from a single IP address.
user www www; worker_processes 6; pid logs/nginx.pid;
events { worker_connections 1024; }
http { #limit_zone one $binary_remote_addr 10m; # limit_conn one 10; include conf/mime.types; default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "http_x_forwarded_for"';
access_log logs/access.log main; rewrite_log on; # I have yet to find where this gets saved to :(
client_max_body_size 100M; sendfile on; tcp_nopush on; tcp_nodelay on;
# domain1 ------------------------------------------------------
# this describes the Mongrel cluster to ngix upstream my_web { server 127.0.0.1:10000; server 127.0.0.1:10001; server 127.0.0.1:10002; server 127.0.0.1:10003; server 127.0.0.1:10004; server 127.0.0.1:10005; server 127.0.0.1:10006; server 127.0.0.1:10007; server 127.0.0.1:10008; server 127.0.0.1:10009; }
server { listen 80; server_name my_web.com *.my_web.com;
# separate access and error logs for this domain access_log logs/access.my_web.log main; error_log logs/error.my_web.log debug;
# catch non-dynamic requests and serve them up directly location ~ ^/$ { if (-f /index.html){ rewrite (.*) /index.html last; } proxy_pass http://my_web; # proxy to the Mongrel cluster described above proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
location / { if (!-f $request_filename.html) { proxy_pass http://my_web; } rewrite (.*) $1.html last; }
location ~ .html { root /home/www/my_web.com/public/; }
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar| bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|mov|flv)$ { root /home/www/my_web.com/public/; }
# proxy dynamic requests to Mongrel location / { proxy_pass http://my_web; proxy_redirect off;
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
On Feb 23, 2007, at 1:09 PM, Igor Sysoev wrote:
On Fri, Feb 23, 2007 at 11:41:33AM +0700, Shark Fin Soup wrote:
Is there an equivalence of mod_evasive (for Lighttpd) that I can use?
I run Nginx for Rails app, using Nginx to serve static content and Mongrel to serve Rails content. It works very well. But I get the occasional DOS that I could divert with mod_evasive. I would like the same for Nginx.
The ngx_http_limit_zone allows similar functionality: http://wiki.codemongers.com/NginxHttpLimit_zoneModule
-- Igor Sysoev http://sysoev.ru/en/