Making nginx withstand flood attacks
- by Tiffany Walker
How can I make it stand stand against attacks better? Are their plugins.
Looking for a way to RATE LIMIT and remain up and not slow down.
My Setup:
user nobody;
# no need for more workers in the proxy mode
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_priority -2;
error_log /var/log/nginx/error.log info;
worker_rlimit_nofile 40480;
events {
worker_connections 5120; # increase for busier servers
use epoll; # you should use epoll here for Linux kernels 2.6.x
}
http {
server_name_in_redirect off;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
include mime.types;
default_type application/octet-stream;
server_tokens off;
disable_symlinks if_not_owner;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 5;
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_http_version 1.1;
gzip_min_length 1000;
gzip_comp_level 9;
gzip_buffers 16 8k;
# You can remove image/png image/x-icon image/gif image/jpeg if you have slow CPU
gzip_types text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml;
ignore_invalid_headers on;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
reset_timedout_connection on;
connection_pool_size 256;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
client_max_body_size 200M;
client_body_buffer_size 128k;
request_pool_size 32k;
output_buffers 4 32k;
postpone_output 1460;
proxy_temp_path /tmp/nginx_proxy/;
client_body_in_file_only on;
log_format bytes_log "$msec $bytes_sent .";
include "/etc/nginx/vhosts/*";
}
vhost file:
server {
error_log /var/log/nginx/vhost-error_log warn;
listen 194.145.208.19:80;
server_name ipxnow.in www.ipxnow.in;
access_log /usr/local/apache/domlogs/ipxnow.in-bytes_log bytes_log;
access_log /usr/local/apache/domlogs/ipxnow.in combined;
root /home/ipxnowin/public_html;
location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$ {
expires 7d;
try_files $uri @backend;
}
error_page 405 = @backend;
add_header X-Cache "HIT from Backend";
proxy_pass http://194.145.208.19:8081;
include proxy.inc;
}
location @backend {
internal;
proxy_pass http://194.145.208.19:8081;
include proxy.inc;
}
location ~ .*\.(php|jsp|cgi|pl|py)?$ {
proxy_pass http://194.145.208.19:8081;
include proxy.inc;
}
location ~ /\.ht {
deny all;
}
}
and proxy.inc:
proxy_connect_timeout 59s;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass_header Set-Cookie;
proxy_redirect off;
proxy_hide_header Vary;
proxy_set_header Accept-Encoding '';
proxy_ignore_headers Cache-Control Expires;
proxy_set_header Referer $http_referer;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
