|
为防止黑客对你的服务器地址进行并发攻击,可以配置以下配置,来动态的获取黑客攻击的地址,进行限速和并发,同时对内网测试人员或指定的IP、IP地址段设置白名单 不限速。 原配置: #配置在http段使其全局生效 http { ...... limit_conn_log_level error; limit_conn_status 503; limit_conn_zone $limit zone=one:10m; limit_conn one 50; limit_req_zone $limit zone=req_one:100m rate=20r/s; limit_req zone=req_one burst=60 nodelay; } ...... }} 使用ab测试时 默认对所有IP限速 [root@localhost ~]# ab -n 1110 -c 1110 url This is ApacheBench, Version 2.3 <$Revision: 655654 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking xx.xxxx.com (be patient) Completed 111 requests Completed 222 requests Completed 333 requests Completed 444 requests Completed 555 requests Completed 666 requests Completed 777 requests Completed 888 requests Completed 999 requests Completed 1110 requests Finished 1110 requests Server Software: nginx Server Hostname: xx.xxxx.com Server Port: 80 Document Path: /webviews/certification.html Document Length: 1131 bytes Concurrency Level: 1110 Time taken for tests: 0.212 seconds Complete requests: 1110 Failed requests: 1046 (Connect: 0, Receive: 0, Length: 1046, Exceptions: 0) Write errors: 0 Non-2xx responses: 1046 Total transferred: 491628 bytes HTML transferred: 287860 bytes Requests per second: 5224.66 [#/sec] (mean) Time per request: 212.454 [ms] (mean) Time per request: 0.191 [ms] (mean, across all concurrent requests) Transfer rate: 2259.81 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 66 2.7 67 68 Processing: 58 66 6.1 65 85 Waiting: 1 60 10.3 59 85 Total: 68 132 4.8 131 145 Percentage of the requests served within a certain time (ms) 50% 131 66% 132 75% 133 80% 135 90% 138 95% 142 98% 144 99% 144 100% 145 (longest request) 可以看到失败的Failed requests: 1046 进行了限速 添加白名单配置: geo $whiteiplist { default 1; 172.16.191.0/24 0; 192.168.6.0/24 0; 10.100.11.185 0; } map $whiteiplist $limit { 1 $binary_remote_addr; 0 ""; } limit_conn_log_level error; limit_conn_status 503; limit_conn_zone $limit zone=one:10m; limit_conn one 50; limit_req_zone $limit zone=req_one:100m rate=20r/s; limit_req zone=req_one burst=60 nodelay; 说明: geo指令定义一个白名单[Math Processing Error]whiteiplist, 默认值为1, 所有都受限制。 如果客户端IP与白名单列出的IP相匹配,则whiteiplist,默认值为1,所有都受限制。如果客户端IP与白名单列出的IP相匹配,则whiteiplist值为0也就是不受限制。 map指令是将[Math Processing Error]whiteiplist值为1的,也就是受限制的IP,映射为客户端IP。将whiteiplist值为1的,也就是受限制的IP,映射为客户端IP。将whiteiplist值为0的,也就是白名单IP,映射为空的字符串。 limit_conn_zone和limit_req_zone指令对于键为空值的将会被忽略,从而实现对于列出来的IP不做限制。 同样的使用ab测试 白名单是否生效 [root@localhost ~]# ab -n 1110 -c 1110 url This is ApacheBench, Version 2.3 <$Revision: 655654 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking xx.xxxx.com (be patient) Completed 111 requests Completed 222 requests Completed 333 requests Completed 444 requests Completed 555 requests Completed 666 requests Completed 777 requests Completed 888 requests Completed 999 requests Completed 1110 requests Finished 1110 requests Server Software: nginx Server Hostname: xx.xxxxx.com Server Port: 80 Document Path: /webviews/certification.html Document Length: 1131 bytes Concurrency Level: 1110 Time taken for tests: 0.249 seconds Complete requests: 1110 Failed requests: 0 Write errors: 0 Total transferred: 1524030 bytes HTML transferred: 1255410 bytes Requests per second: 4461.07 [#/sec] (mean) Time per request: 248.819 [ms] (mean) Time per request: 0.224 [ms] (mean, across all concurrent requests) Transfer rate: 5981.50 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 45 6.3 45 56 Processing: 34 90 40.2 89 157 Waiting: 1 90 40.6 89 157 Total: 57 135 34.2 134 192 Percentage of the requests served within a certain time (ms) 50% 134 66% 155 75% 166 80% 172 90% 183 95% 189 98% 191 99% 192 100% 192 (longest request) 测试时失败的Failed requests: 0 设置白名单成功! (责任编辑:IT) |