Ddos Protection syntax - Nginx

nginx ddos

I am using this syntax for my Nginx configuration file /etc/nginx/nginx.conf which reads:

user www-data;
worker_processes 2;
pid /run/nginx.pid;
worker_rlimit_nofile 100000;

events {
worker_connections 2048;
multi_accept on;
}

http {

##
# Basic Settings
##

client_header_buffer_size 2k;
large_client_header_buffers 2 1k;

client_body_buffer_size 10M;
client_max_body_size 10M;

client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;

server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}

sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

My websites server blocks are included within: include /etc/nginx/sites-enabled/*;

Is the server defined within http as seen above going to supersede the server{} blocks in my sites-enabled/* so that DDOS protection will work as expected?


Actually there is an important difference between DOS and DDOS attacks. The additional D in DDOS stands for distributed.

For simple DOS attacks your setup can be used. However it really depends on your application or website where the difference between an allowed or expected use case and a not allowed or not expected use case might be. There exists no generic recipe.

To mitigate DDOS attacks your setup will not help. Such attacks will be fired from many different IP addresses. Usually DDOS attacks must be mitigated on network level and with a really high bandwith.


My guess is that you're talking about ngx_http_limit_conn_module and ngx_http_limit_req_module.

Syntax: limit_conn zone number;
Default: —
Context: http, server, location
These directives are inherited from the previous configuration level if and only if there are no limit_conn directives defined on the current level.

So for limit_conn you need to place it one level up into the http block to make it inherited into the server blocks.

Syntax: limit_req zone=name [burst=number] [nodelay | delay=number];
Default: —
Context: http, server, location
These directives are inherited from the previous configuration level if and only if there are no limit_req directives defined on the current level.

Same for the limit_req place it one level up into the http block to make it inherited into the server block.

Related

Folder permissions keep changing from www-data to root
Is there a way to force SQL Server Network Configuration to recognize new IP addresses without full restart?
Memory for crash kernel (0x0 to 0x0) not within permissable range
SQL Server 2005: Corrupt database - Automatically shutdown DB?
recover ldap database without log files
RHEL/CentOS Now to add nftable rules to firewalld on system boot?
BugZilla XML RPC Interface
Safe to remove dismounted Exchange 2016 mailbox database?
Ansible created user on Windows, gets ".EC2AMAZ-ELNOCH3" appended to username
Email server certificate valid according to CheckTLS, invalid according to Thunderbird
Certbot semi-manual operation
Internet Explorer not working after establishing a VPN connection