#优化:Nginx防御DDOS和CC攻击

时间:2023-03-09 23:46:50
#优化:Nginx防御DDOS和CC攻击 
加载HTTP段

##

    #  基础配置

    ##

    keepalive_timeout    10;

    server_tokens off;

    types_hash_max_size  2048;

    ##

    # 主要配置

    ##

    sendfile     on;

    tcp_nopush   on;

    tcp_nodelay  on;

    open_file_cache            max=50000  inactive=20s;

    open_file_cache_valid      30s;

    open_file_cache_min_uses   2;

    open_file_cache_errors     on;

    reset_timedout_connection  on;

    client_body_timeout        10;

    send_timeout               2;

    ##

    # DDoS 和 CC 防御配置,主要是限制链接数,详细:http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html

    ##

    client_body_buffer_size      128k;

    large_client_header_buffers  4 32k;

    server_names_hash_bucket_size 128;

    client_header_buffer_size 32k;

    client_max_body_size 50m;

    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;

    limit_conn conn_limit_per_ip 20;

    limit_req zone=req_limit_per_ip burst=20;

完整的nginx配置文件

[root@panni ~]# cat /etc/nginx/nginx.conf

user  nobody;

worker_processes  auto;

error_log  /var/log/nginx/error.log;

pid        /var/run/nginx.pid;

worker_rlimit_nofile 1024;

events {

    use epoll;

    worker_connections  1024;

    multi_accept on;

}

http {

    include       /etc/nginx/mime.types;

    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    ##

    # 基础配置

    ##

    keepalive_timeout    10;

    server_tokens off;

    types_hash_max_size  2048;

    ##

    # 主要配置

    ##

    sendfile     on;

    tcp_nopush   on;

    tcp_nodelay  on;

    open_file_cache            max=50000  inactive=20s;

    open_file_cache_valid      30s;

    open_file_cache_min_uses   2;

    open_file_cache_errors     on;

    reset_timedout_connection  on;

    client_body_timeout        10;

    send_timeout               2;

    ##

    # DDoS 和 CC 防御配置,主要是限制链接数,详细:http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html

    ##

    client_body_buffer_size      128k;

    large_client_header_buffers  4 32k;

    server_names_hash_bucket_size 128;

    client_header_buffer_size 32k;

    client_max_body_size 50m;

    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;

    limit_conn conn_limit_per_ip 20;

    limit_req zone=req_limit_per_ip burst=20;

    fastcgi_connect_timeout 300; #如果你不使用FastCGI,请用井号注释该段每一行

    fastcgi_send_timeout 300;

    fastcgi_read_timeout 300;

    fastcgi_buffer_size 64k;

    fastcgi_buffers 4 64k;

    fastcgi_busy_buffers_size 128k;

    fastcgi_temp_file_write_size 256k;

    gzip on; #如果你不使用GZip,请用井号注释该段每一行

    gzip_min_length  1k;

    gzip_buffers     4 16k;

    gzip_http_version 1.0;

    gzip_comp_level 2;

    gzip_types       text/plain application/javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;

    gzip_vary off;

    gzip_proxied        expired no-cache no-store private auth;

    gzip_disable        "MSIE [1-6]\.";

    include /etc/nginx/conf.d/*.conf;

}

相关文章