nginx为limit限速 通过geo模块设置白名单

为防止黑客对你的服务器地址进行并发攻击,可以配置以下配置,来动态的获取黑客攻击的地址,进行限速和并发,同时对内网测试人员或指定的IP、IP地址段设置白名单 不限速。
原配置:

#配置在http段使其全局生效
http {
......
limit_conn_log_level error;
limit_conn_status 503;
limit_conn_zone $limit  zone=one:10m;
limit_conn  one  50;
limit_req_zone $limit   zone=req_one:100m  rate=20r/s;
limit_req zone=req_one burst=60 nodelay;
}
......
}}

使用ab测试时 默认对所有IP限速

[root@localhost ~]# ab  -n 1110 -c 1110 url
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking xx.xxxx.com (be patient)
Completed 111 requests
Completed 222 requests
Completed 333 requests
Completed 444 requests
Completed 555 requests
Completed 666 requests
Completed 777 requests
Completed 888 requests
Completed 999 requests
Completed 1110 requests
Finished 1110 requests


Server Software:        nginx
Server Hostname:        xx.xxxx.com
Server Port:            80

Document Path:          /webviews/certification.html
Document Length:        1131 bytes

Concurrency Level:      1110
Time taken for tests:   0.212 seconds
Complete requests:      1110
Failed requests:        1046
   (Connect: 0, Receive: 0, Length: 1046, Exceptions: 0)
Write errors:           0
Non-2xx responses:      1046
Total transferred:      491628 bytes
HTML transferred:       287860 bytes
Requests per second:    5224.66 [#/sec] (mean)
Time per request:       212.454 [ms] (mean)
Time per request:       0.191 [ms] (mean, across all concurrent requests)
Transfer rate:          2259.81 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0   66   2.7     67      68
Processing:    58   66   6.1     65      85
Waiting:        1   60  10.3     59      85
Total:         68  132   4.8    131     145

Percentage of the requests served within a certain time (ms)
  50%    131
  66%    132
  75%    133
  80%    135
  90%    138
  95%    142
  98%    144
  99%    144
 100%    145 (longest request)

可以看到失败的Failed requests: 1046 进行了限速

添加白名单配置:

geo $whiteiplist {
     default              	 		1;
    172.16.191.0/24        	0;
    192.168.6.0/24        	0;
    10.100.11.185				0;
    }

map $whiteiplist $limit {
    1                   $binary_remote_addr;
    0                   "";
    }

limit_conn_log_level error;
limit_conn_status 503;
limit_conn_zone $limit  zone=one:10m;
limit_conn  one  50;
limit_req_zone $limit   zone=req_one:100m  rate=20r/s;
limit_req zone=req_one burst=60 nodelay;

说明:

  1. geo指令定义一个白名单 w h i t e i p l i s t , 默 认 值 为 1 , 所 有 都 受 限 制 。 如 果 客 户 端 I P 与 白 名 单 列 出 的 I P 相 匹 配 , 则 whiteiplist, 默认值为1, 所有都受限制。 如果客户端IP与白名单列出的IP相匹配,则 whiteiplist,1,IPIPwhiteiplist值为0也就是不受限制。
  2. map指令是将 w h i t e i p l i s t 值 为 1 的 , 也 就 是 受 限 制 的 I P , 映 射 为 客 户 端 I P 。 将 whiteiplist值为1的,也就是受限制的IP,映射为客户端IP。将 whiteiplist1IPIPwhiteiplist值为0的,也就是白名单IP,映射为空的字符串。
  3. limit_conn_zone和limit_req_zone指令对于键为空值的将会被忽略,从而实现对于列出来的IP不做限制。

同样的使用ab测试 白名单是否生效

[root@localhost ~]# ab  -n 1110 -c 1110 url
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking xx.xxxx.com (be patient)
Completed 111 requests
Completed 222 requests
Completed 333 requests
Completed 444 requests
Completed 555 requests
Completed 666 requests
Completed 777 requests
Completed 888 requests
Completed 999 requests
Completed 1110 requests
Finished 1110 requests


Server Software:        nginx
Server Hostname:        xx.xxxxx.com
Server Port:            80

Document Path:          /webviews/certification.html
Document Length:        1131 bytes

Concurrency Level:      1110
Time taken for tests:   0.249 seconds
Complete requests:      1110
Failed requests:        0
Write errors:           0
Total transferred:      1524030 bytes
HTML transferred:       1255410 bytes
Requests per second:    4461.07 [#/sec] (mean)
Time per request:       248.819 [ms] (mean)
Time per request:       0.224 [ms] (mean, across all concurrent requests)
Transfer rate:          5981.50 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0   45   6.3     45      56
Processing:    34   90  40.2     89     157
Waiting:        1   90  40.6     89     157
Total:         57  135  34.2    134     192

Percentage of the requests served within a certain time (ms)
  50%    134
  66%    155
  75%    166
  80%    172
  90%    183
  95%    189
  98%    191
  99%    192
 100%    192 (longest request)

测试时失败的Failed requests: 0
设置白名单成功!

你可能感兴趣的:(运维安全,linux,nginx)