Skip to content

Instantly share code, notes, and snippets.

@ngvannguyen

ngvannguyen/nginx.conf

Forked from prasetiyohadi/nginx.conf
Created February 22, 2023 02:09
Show Gist options
  • Save ngvannguyen/8e1dff98fe05d44edbde65565d8d4418 to your computer and use it in GitHub Desktop.
Save ngvannguyen/8e1dff98fe05d44edbde65565d8d4418 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @prasetiyohadi prasetiyohadi created this gist Dec 23, 2015.
    100 changes: 100 additions & 0 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,100 @@
    # Source: https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
    # DDOS characteristics:
    # - traffic originates from a fixed set of IP addresses, much higher than requests from forward proxies
    # - traffic is much higher than a human user can generate
    # - The User-Agent header is sometimes set to a non-standard value
    # - The Referer header is sometimes set to a value you can associate with the attack

    # Limiting the rate of requests (example: 30 connection per minute per IP or allow request only every 2 seconds)
    limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;

    server {
    ...
    location /login.html {
    limit_req zone=one;
    ...
    }
    }

    # Limiting the number of connections (example: maximum number of connections is 10 per ip)
    limit_conn_zone $binary_remote_addr zone=addr:10m;

    server {
    ...
    location /store/ {
    limit_conn addr 10;
    ...
    }
    }

    # Closing slow connection
    server {
    client_body_timeout 5s;
    client_header_timeout 5s;
    ...
    }

    # Blacklisting IP addresses
    server {
    location / {
    deny 123.123.123.0/28;
    ...
    }

    location / {
    deny 123.123.123.3;
    deny 123.123.123.5;
    deny 123.123.123.7;
    ...
    }
    }

    # Whitelisting IP addresses
    server {
    location / {
    allow 192.168.1.0/24;
    deny all;
    ...
    }
    }

    # Using chaching to smooth traffic spikes
    # absorb much of traffic spike that results from an attack by enabling caching and setting certain chaching parameters to offload requests from backend
    # The **updating** parameter to the **proxy_cache_use_stale** directive tells Nginx that when it needs to fetch an update of a stale cached object, it should send just one request for the update, and continue to serve the stale object to clients who request it during the time it takes to receive the update from the backend server
    # The key defined by the **proxy_cache_key** directive usually consists of embedded variables (the default key, $scheme$proxy_host$request_uri, has three variables)
    # If the value includes the $query_string variable, then an attack that sends random query strings can cause excessive caching
    # We recommend that you don’t include the $query_string variable in the key unless you have a particular reason to do so

    # Blocking requests
    # - requests to a specific URL that seems to be targeted
    # - requests in which the User-Agent header is set to a value that does not correspond to normal client traffic
    # - requests in which the Referer header is set to a value that can be associated with an attack
    # - requests in which other headers have values that can be associated with an attack

    server {
    location /foo.php {
    deny all;
    }
    }

    server {
    location / {
    if ($http_user_agent ~* foo|bar) {
    return 403;
    }
    ...
    }
    }

    # Limiting the connections to background servers
    upstream website {
    server 192.168.100.1:80 max_conns=200;
    server 192.168.100.2:80 max_conns=200;
    queue 10 timeout=30s;
    }

    # Dealing with range based attacks
    # See gist https://gist.github.com/prasetiyohadi/b55a79a83c8973856c6f

    # Handling high loads
    # See gist https://gist.github.com/prasetiyohadi/c24112871943aa21d1bc