Denial of service prevention

Shark Fin Soup shark.fin.soup at mac.com
Fri Feb 23 11:12:00 MSK 2007 

Dear Igor,

This is my config file. How would I use that feature. I tried it last  
week and could not get it to work. My config file is not very  
straight forward. I want to make sure that I cannot receive more than  
10 concurrent connections from a single IP address.

user  www www;
worker_processes  6;
pid  logs/nginx.pid;

events {
     worker_connections  1024;
}

http {
     #limit_zone    one  $binary_remote_addr  10m;
     # limit_conn    one  10;
     include       conf/mime.types;
     default_type  application/octet-stream;

     log_format  main  '$remote_addr - $remote_user [$time_local]  
$status '
                       '"$request" $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "http_x_forwarded_for"';

     access_log  logs/access.log  main;
     rewrite_log on; # I have yet to find where this gets saved to :(

     client_max_body_size 100M;
     sendfile       on;
     tcp_nopush     on;
     tcp_nodelay    on;

     # domain1 ------------------------------------------------------

     # this describes the Mongrel cluster to ngix
     upstream my_web {
         server 127.0.0.1:10000;
         server 127.0.0.1:10001;
         server 127.0.0.1:10002;
         server 127.0.0.1:10003;
         server 127.0.0.1:10004;
         server 127.0.0.1:10005;
         server 127.0.0.1:10006;
         server 127.0.0.1:10007;
         server 127.0.0.1:10008;
         server 127.0.0.1:10009;
    }

     server {
         listen       80;
         server_name  my_web.com *.my_web.com;

         # separate access and error logs for this domain
         access_log  logs/access.my_web.log  main;
         error_log  logs/error.my_web.log   debug;

         # catch non-dynamic requests and serve them up directly
         location ~ ^/$ {
           if (-f /index.html){
             rewrite (.*) /index.html last;
           }
           proxy_pass  http://my_web; # proxy to the Mongrel cluster  
described above
           proxy_set_header   Host             $host;
           proxy_set_header   X-Real-IP        $remote_addr;
           proxy_set_header   X-Forwarded-For   
$proxy_add_x_forwarded_for;
         }

         location / {
           if (!-f $request_filename.html) {
             proxy_pass  http://my_web;
           }
           rewrite (.*) $1.html last;
         }

         location ~ .html {
            root /home/www/my_web.com/public/;
         }

         location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar| 
bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|mov|flv)$ {
           root /home/www/my_web.com/public/;
         }

                 # proxy dynamic requests to Mongrel
         location / {
             proxy_pass         http://my_web;
             proxy_redirect     off;

             proxy_set_header   Host             $host;
             proxy_set_header   X-Real-IP        $remote_addr;
             proxy_set_header   X-Forwarded-For   
$proxy_add_x_forwarded_for;
         }
     }

On Feb 23, 2007, at 1:09 PM, Igor Sysoev wrote:

> On Fri, Feb 23, 2007 at 11:41:33AM +0700, Shark Fin Soup wrote:
>
>> Is there an equivalence of mod_evasive (for Lighttpd) that I can use?
>>
>> I run Nginx for Rails app, using Nginx to serve static content and
>> Mongrel to serve Rails content. It works very well. But I get the
>> occasional DOS that I could divert with mod_evasive. I would like the
>> same for Nginx.
>
> The ngx_http_limit_zone allows similar functionality:
> http://wiki.codemongers.com/NginxHttpLimit_zoneModule
>
>
> -- 
> Igor Sysoev
> http://sysoev.ru/en/
>

More information about the nginx mailing list