Nginx安全相关配置-防止压力测试工具

              Nginx安全相关配置-防止压力测试工具

                                       作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

 

 

一.搭建web服务器提供正常访问

1>.编辑主配置文件

[[email protected] ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes  4;
worker_cpu_affinity 00000001 00000010 00000100 00001000; 
 
events {
   worker_connections  100000;
   use epoll;
   accept_mutex on;
   multi_accept on; 
}
   
   http {
     include       mime.types;
       
     default_type  text/html;
    
     server_tokens off; 
      
     charset utf-8;
   
     log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_ti
me,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';   
    access_log logs/access_json.log my_access_json;
 
    ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
    ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
  
    include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}
[[email protected] ~]# 
[[email protected] ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[[email protected] ~]# 
[[email protected] ~]#

2>.编辑子配置文件

[[email protected] ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf 
server {
    listen 80;
    listen 443 ssl;
    server_name node101.yinzhengjie.org.cn;
 
    access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json;
    error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log;

    location / {
       root /yinzhengjie/data/web/nginx/static/cn;
       index index.html;
    }

    location = /favicon.ico {
       root /yinzhengjie/data/web/nginx/images/jd;
    }
}
[[email protected] ~]# 
[[email protected] ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[[email protected] ~]#

3>.准备测试数据

[[email protected] ~]# mkdir -pv /yinzhengjie/data/web/nginx/{static,images}
mkdir: created directory ‘/yinzhengjie/data/web/nginx’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/images’
[[email protected] ~]# 
[[email protected] ~]# mkdir -pv /yinzhengjie/data/web/nginx/static/cn/css
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn/css’
[[email protected] ~]# 
[[email protected] ~]# mkdir -pv /yinzhengjie/data/web/nginx/images/jd
mkdir: created directory ‘/yinzhengjie/data/web/nginx/images/jd’
[[email protected] ~]# 
[[email protected] ~]# ll /yinzhengjie/data/web/nginx/static/cn/css/
total 1004
-rw-r--r-- 1 root root 1025154 Dec 24 18:29 01.png
[[email protected] ~]# 
[[email protected] ~]# cat /yinzhengjie/data/web/nginx/static/cn/index.html 


    
        "UTF-8">
        node101.yinzhengjie.org.cn
        
    
    
        

这是"node101.yinzhengjie.org.cn"的首页

class="box1">
[[email protected] ~]# [[email protected] ~]# wget https://www.jd.com/favicon.ico -O /yinzhengjie/data/web/nginx/images/jd/favicon.ico #此处我们从网上下载一张图片作为标签的logo --2019-12-24 18:51:03-- https://www.jd.com/favicon.ico Resolving www.jd.com (www.jd.com)... 220.194.105.131, 2408:8710:20:1140:8000::3 Connecting to www.jd.com (www.jd.com)|220.194.105.131|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 25214 (25K) [image/x-icon] Saving to: ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’ 100%[==================================================================================================================================>] 25,214 --.-K/s in 0s 2019-12-24 18:51:09 (404 MB/s) - ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’ saved [25214/25214] [[email protected] ~]#

4>.启动nginx服务

[[email protected] ~]# netstat -untalp | grep nginx
[[email protected] ~]# 
[[email protected] ~]# nginx 
[[email protected] ~]# 
[[email protected] ~]# netstat -untalp | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      24954/nginx: master 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      24954/nginx: master 
[[email protected] ~]# 
[[email protected] ~]#

5>.浏览器访问"https://node101.yinzhengjie.org.cn/",如下图所示

6>.查看nginx的日志信息

Nginx安全相关配置-防止压力测试工具_第1张图片

 

二.使用ab命令对服务器进行压力测试

1>.安装apache的压力测试工具

[[email protected] ~]# yum -y install http-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.tuna.tsinghua.edu.cn
base                                                                                                                          | 3.6 kB  00:00:00     
extras                                                                                                                        | 2.9 kB  00:00:00     
updates                                                                                                                       | 2.9 kB  00:00:00     
No package http-tools available.
Error: Nothing to do
[[email protected] ~]# 
[[email protected] ~]# yum -y install httpd-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.tuna.tsinghua.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.4.6-90.el7.centos will be installed
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-5.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================================
 Package                             Arch                           Version                                       Repository                    Size
=====================================================================================================================================================
Installing:
 httpd-tools                         x86_64                         2.4.6-90.el7.centos                           base                          91 k
Installing for dependencies:
 apr                                 x86_64                         1.4.8-5.el7                                   base                         103 k
 apr-util                            x86_64                         1.5.2-6.el7                                   base                          92 k

Transaction Summary
=====================================================================================================================================================
Install  1 Package (+2 Dependent packages)

Total download size: 286 k
Installed size: 584 k
Downloading packages:
apr-util-1.5.2-6.el7.x86_64.rp FAILED                                          
http://mirror.lzu.edu.cn/centos/7.7.1908/os/x86_64/Packages/apr-util-1.5.2-6.el7.x86_64.rpm: [Errno 14] curl#56 - "Recv failure: Connection reset by 
peer"Trying other mirror.
(1/3): apr-1.4.8-5.el7.x86_64.rpm                                                                                             | 103 kB  00:00:00     
(2/3): httpd-tools-2.4.6-90.el7.centos.x86_64.rpm                                                                             |  91 kB  00:00:00     
(3/3): apr-util-1.5.2-6.el7.x86_64.rpm                                                                                        |  92 kB  00:00:06     
-----------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                 44 kB/s | 286 kB  00:00:06     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-5.el7.x86_64                                                                                                            1/3 
  Installing : apr-util-1.5.2-6.el7.x86_64                                                                                                       2/3 
  Installing : httpd-tools-2.4.6-90.el7.centos.x86_64                                                                                            3/3 
  Verifying  : apr-1.4.8-5.el7.x86_64                                                                                                            1/3 
  Verifying  : httpd-tools-2.4.6-90.el7.centos.x86_64                                                                                            2/3 
  Verifying  : apr-util-1.5.2-6.el7.x86_64                                                                                                       3/3 

Installed:
  httpd-tools.x86_64 0:2.4.6-90.el7.centos                                                                                                           

Dependency Installed:
  apr.x86_64 0:1.4.8-5.el7                                               apr-util.x86_64 0:1.5.2-6.el7                                              

Complete!
[[email protected] ~]# 
[[email protected] ~]# yum -y install http-tools
[[email protected] ~]# rpm -qi httpd-tools
Name        : httpd-tools
Version     : 2.4.6
Release     : 90.el7.centos
Architecture: x86_64
Install Date: Tue 24 Dec 2019 07:51:40 PM CST
Group       : System Environment/Daemons
Size        : 172756
License     : ASL 2.0
Signature   : RSA/SHA256, Fri 23 Aug 2019 05:25:34 AM CST, Key ID 24c6a8a7f4a80eb5
Source RPM  : httpd-2.4.6-90.el7.centos.src.rpm
Build Date  : Thu 08 Aug 2019 07:43:53 PM CST
Build Host  : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem //bugs.centos.org>
Vendor      : CentOS
URL         : http://httpd.apache.org/
Summary     : Tools for use with the Apache HTTP Server
Description :
The httpd-tools package contains tools which can be used with
the Apache HTTP Server.
[[email protected] ~]# 
[[email protected] ~]# rpm -qi httpd-tools
[[email protected] ~]# rpm -ql httpd-tools
/usr/bin/ab             
/usr/bin/htdbm
/usr/bin/htdigest
/usr/bin/htpasswd
/usr/bin/httxt2dbm
/usr/bin/logresolve
/usr/share/doc/httpd-tools-2.4.6
/usr/share/doc/httpd-tools-2.4.6/LICENSE
/usr/share/doc/httpd-tools-2.4.6/NOTICE
/usr/share/man/man1/ab.1.gz
/usr/share/man/man1/htdbm.1.gz
/usr/share/man/man1/htdigest.1.gz
/usr/share/man/man1/htpasswd.1.gz
/usr/share/man/man1/httxt2dbm.1.gz
/usr/share/man/man1/logresolve.1.gz
[[email protected] ~]# 

2>.使用ab命令对"http://node101.yinzhengjie.org.cn"进行压力测试

[[email protected] ~]# ab -n100000 -c 2000 http://node101.yinzhengjie.org.cn/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking node101.yinzhengjie.org.cn (be patient)

Completed 10000 requests
Completed 20000 requests
Completed 30000 requests
Completed 40000 requests
Completed 50000 requests
Completed 60000 requests
Completed 70000 requests
Completed 80000 requests
Completed 90000 requests
Completed 100000 requests
Finished 100000 requests


Server Software:        yinzhengjie2019
Server Hostname:        node101.yinzhengjie.org.cn
Server Port:            80

Document Path:          /
Document Length:        566 bytes

Concurrency Level:      2000
Time taken for tests:   4.498 seconds
Complete requests:      100000
Failed requests:        0
Write errors:           0
Total transferred:      81700000 bytes
HTML transferred:       56600000 bytes
Requests per second:    22229.87 [#/sec] (mean)
Time per request:       89.969 [ms] (mean)
Time per request:       0.045 [ms] (mean, across all concurrent requests)
Transfer rate:          17736.14 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0   53 286.1      0    3018
Processing:     1   11  37.6      8    1319
Waiting:        0   11  37.3      8    1310
Total:          1   64 294.6      8    3429

Percentage of the requests served within a certain time (ms)
  50%      8
  66%      9
  75%      9
  80%      9
  90%     12
  95%     36
  98%   1020
  99%   1298
 100%   3429 (longest request)
[[email protected] ~]# 



温馨提示,
  关于以上参数的说明可参考我之前的笔记,https:
//www.cnblogs.com/yinzhengjie/p/6204049.html。

3>.查看node101.yinzhengjie.org.cn站点日志信息

Nginx安全相关配置-防止压力测试工具_第2张图片

 

 

 

三.防止测试工具压力测试配置

1>.编辑"node101.yinzhengjie.org.cn"站点的配置文件

[[email protected] ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf 
server {
    listen 80;
    listen 443 ssl;
    server_name node101.yinzhengjie.org.cn;
 
    access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json;
    error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log;

    location / {
       root /yinzhengjie/data/web/nginx/static/cn;
       index index.html;
       #定义有效的请求referer,用空格隔开即可
       valid_referers none blocked server_names *.baidu.com example.*  ~\.google\.;
       #如果没有在上面的有效链接定义那么均属于无效请求referer
       if ($invalid_referer) {
           return 403;
       }

       #如果是一些常见的压测试工具,咱们直接进给他拒绝访问
       if ($http_user_agent ~ "ApacheBench|WebBench|TurnitinBot|Sougou web spider|Grid Server"){
           return 403;
       }
    }

    location = /favicon.ico {
       root /yinzhengjie/data/web/nginx/images/jd;
    }
}
[[email protected] ~]# 
[[email protected] ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[[email protected] ~]# 

2>.重新加载配置文件

[[email protected] ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
nginx    25710 24954  0 19:37 ?        00:00:00 nginx: worker process
nginx    25711 24954  0 19:37 ?        00:00:01 nginx: worker process
nginx    25712 24954  0 19:37 ?        00:00:01 nginx: worker process
nginx    25713 24954  0 19:37 ?        00:00:00 nginx: worker process
[[email protected] ~]# 
[[email protected] ~]# nginx -s reload  
[[email protected] ~]# 
[[email protected] ~]# ps -ef | grep nginx | grep -v grep
root     24954     1  0 18:44 ?        00:00:00 nginx: master process nginx
root     25780 22439  0 19:58 pts/2    00:00:00 tail -10f /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log
nginx    25796 24954  0 20:09 ?        00:00:00 nginx: worker process
nginx    25797 24954  0 20:09 ?        00:00:00 nginx: worker process
nginx    25798 24954  0 20:09 ?        00:00:00 nginx: worker process
nginx    25799 24954  0 20:09 ?        00:00:00 nginx: worker process
[[email protected] ~]# 
[[email protected] ~]# 

3>.再一次使用ab命令进行攻击,如下图所示,发现无法使用ab命令进行攻击了

[[email protected] ~]# ab -n100000 -c 2000 http://node101.yinzhengjie.org.cn/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking node101.yinzhengjie.org.cn (be patient)
Completed 10000 requests
Completed 20000 requests
Completed 30000 requests
Completed 40000 requests
Completed 50000 requests
Completed 60000 requests
Completed 70000 requests
Completed 80000 requests
Completed 90000 requests
apr_socket_recv: Connection reset by peer (104)
Total of 99715 requests completed
[[email protected] ~]# 

Nginx安全相关配置-防止压力测试工具_第3张图片

4>.查看node101.yinzhengjie.org.cn站点日志信息

Nginx安全相关配置-防止压力测试工具_第4张图片

 

 

5>.

 

你可能感兴趣的:(Nginx安全相关配置-防止压力测试工具)