* Tips * Limit DDOS risk

[mephivio]

Idea : limit 100 requests or connects per ip

vi /etc/nginx/nginx.conf

at the begining of the http, add:

#Max request per ip
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
limit_req zone=flood burst=100 nodelay;
#Max Connect per ip
limit_conn_zone $binary_remote_addr zone=ddos:10m;
limit_conn ddos 100;

Then, Restart NGINX via service nginx restart

thanks to Noobunbox

[mehargags]

Good information.
Thank you

[hassaan]

Are sure this will work fine with cloud-flare?

[dreiggy]

Are sure this will work fine with cloud-flare?

I think maybe it will work if You restore original visitors IP: https://support.cloudflare.com/hc/en-us ... ith-Nginx-

[hassaan]

I think maybe it will work if You restore original visitors IP: https://support.cloudflare.com/hc/en-us ... ith-Nginx-

Yes, original IP is already restoring via nginx config But I have question.

1. I have to put request limit config lines after the following code or before the following code? Does this will matter?

Code: Select all

# use any of the following two
real_ip_header CF-Connecting-IP;

2. Can you post request limit config code for Apache?

[dreiggy]

1. I have to put request limit config lines after the following code or before the following code? Does this will matter?

Code: Select all

# use any of the following two
real_ip_header CF-Connecting-IP;

2. Can you post request limit config code for Apache?

1. I cannot tell ;) Need to try. But I think You should add after IP restoration.
2. I too never try limiting bandwitch, but You can refer to this apache documentation article. You can try to create global include in conf.d directory for example limit_conn.conf with something like this:

Code: Select all

<Location "/">
    SetOutputFilter RATE_LIMIT
    SetEnv rate-limit 400 
    SetEnv rate-initial-burst 512
</Location>