Ddos Protection syntax - Nginx

I am using this syntax for my Nginx configuration file /etc/nginx/nginx.conf which reads:

user www-data;
worker_processes 2;
pid /run/nginx.pid;
worker_rlimit_nofile 100000;

events {
worker_connections 2048;
multi_accept on;
}

http {

##
# Basic Settings
##

client_header_buffer_size 2k;
large_client_header_buffers 2 1k;

client_body_buffer_size 10M;
client_max_body_size 10M;

client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;

server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}

sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

My websites server blocks are included within: include /etc/nginx/sites-enabled/*;

Is the server defined within http as seen above going to supersede the server{} blocks in my sites-enabled/* so that DDOS protection will work as expected?


Actually there is an important difference between DOS and DDOS attacks. The additional D in DDOS stands for distributed.

For simple DOS attacks your setup can be used. However it really depends on your application or website where the difference between an allowed or expected use case and a not allowed or not expected use case might be. There exists no generic recipe.

To mitigate DDOS attacks your setup will not help. Such attacks will be fired from many different IP addresses. Usually DDOS attacks must be mitigated on network level and with a really high bandwith.


My guess is that you're talking about ngx_http_limit_conn_module and ngx_http_limit_req_module.

Syntax: limit_conn zone number;
Default: —
Context: http, server, location
These directives are inherited from the previous configuration level if and only if there are no limit_conn directives defined on the current level.

So for limit_conn you need to place it one level up into the http block to make it inherited into the server blocks.

Syntax: limit_req zone=name [burst=number] [nodelay | delay=number];
Default: —
Context: http, server, location
These directives are inherited from the previous configuration level if and only if there are no limit_req directives defined on the current level.

Same for the limit_req place it one level up into the http block to make it inherited into the server block.