Config of nginx to filter http flood

kedoff picture kedoff · Sep 6, 2012 · Viewed 31.5k times · Source

A have a http flood on my server, not so much queries, but anyway. Queries in log

95.55.237.3 - - [06/Sep/2012:14:38:23 +0400] "GET / HTTP/1.0" 200 35551 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)" "-" | "-" 93.78.44.25 - - [06/Sep/2012:14:38:23 +0400] "GET / HTTP/1.0" 200 36051 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)" "-" | "-" 46.118.112.3 - - [06/Sep/2012:14:38:23 +0400] "GET / HTTP/1.0" 200 35551 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)" "-" | "-"

I tried this filters in nginx config

server {
    .....
    set $add 1;
    set $ban '';

###### Rule 1 ########
if ($http_referer = '-' ) {
    set $ban $ban$add;
}
if ($request_uri = '/') {
    set $ban $ban$add;
}

if ($http_user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)') {
    set $ban $ban$add;
}

if ($ban = 111) {
    return 444;
}
######################
......
}

but stil bot queries get 200 OK. Could somebody help?

Answer

cobaco picture cobaco · Sep 6, 2012

Try adding something like the following directives to your config to prevent http flooding:

http {
  limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
  limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

  server {
    limit_conn conn_limit_per_ip 10;
    limit_req zone=req_limit_per_ip burst=10 nodelay;
  }
} 

See http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html and http://nginx.org/en/docs/http/ngx_http_limit_req_module.html for more info

There's all the following directive http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate

NOTE: http://www.botsvsbrowsers.com/details/504401/index.html says the above user agent is not a known bot