* Tips * Limit DDOS risk
* Tips * Limit DDOS risk
Idea : limit 100 requests or connects per ip
vi /etc/nginx/nginx.conf
at the begining of the http, add:
#Max request per ip
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
limit_req zone=flood burst=100 nodelay;
#Max Connect per ip
limit_conn_zone $binary_remote_addr zone=ddos:10m;
limit_conn ddos 100;
Then, Restart NGINX via service nginx restart
thanks to Noobunbox
vi /etc/nginx/nginx.conf
at the begining of the http, add:
#Max request per ip
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
limit_req zone=flood burst=100 nodelay;
#Max Connect per ip
limit_conn_zone $binary_remote_addr zone=ddos:10m;
limit_conn ddos 100;
Then, Restart NGINX via service nginx restart
thanks to Noobunbox
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: * Tips * Limit DDOS risk
Good information.
Thank you
Thank you
Re: * Tips * Limit DDOS risk
Are sure this will work fine with cloud-flare?
Re: * Tips * Limit DDOS risk
I think maybe it will work if You restore original visitors IP: https://support.cloudflare.com/hc/en-us ... ith-Nginx-
Re: * Tips * Limit DDOS risk
Yes, original IP is already restoring via nginx config But I have question.dreiggy wrote: ↑Fri Jul 06, 2018 9:49 pmI think maybe it will work if You restore original visitors IP: https://support.cloudflare.com/hc/en-us ... ith-Nginx-
1. I have to put request limit config lines after the following code or before the following code? Does this will matter?
Code: Select all
# use any of the following two
real_ip_header CF-Connecting-IP;
Re: * Tips * Limit DDOS risk
1. I cannot tell ;) Need to try. But I think You should add after IP restoration.hassaan wrote: ↑Sat Jul 07, 2018 5:27 am1. I have to put request limit config lines after the following code or before the following code? Does this will matter?
2. Can you post request limit config code for Apache?Code: Select all
# use any of the following two real_ip_header CF-Connecting-IP;
2. I too never try limiting bandwitch, but You can refer to this apache documentation article. You can try to create global include in conf.d directory for example limit_conn.conf with something like this:
Code: Select all
<Location "/">
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 400
SetEnv rate-initial-burst 512
</Location>