Jump to content

Nginx:Optimized configuration with DDoS mitigation

From Wiki

Paste di /etc/nginx/nginx.conf 

user  nginx;

# one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu
worker_processes  4;

# renice workers to reduce priority compared to system processes for
# machine health. worst case nginx will get ~25% system resources at nice=15
worker_priority -5;

timer_resolution 100ms;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

worker_rlimit_nofile 100000;

events {
    worker_connections  1024;
    use epoll;
    # Accept as many connections as possible, after nginx gets notification about a new connection.
    multi_accept on;
}


http {

    server_tokens off;
    server_name_in_redirect off;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log  main buffer=16k;
    access_log off;

    # Timeouts, do not keep connections open longer then necessary to reduce
    # resource usage and deny Slowloris type attacks.

    # reset timed out connections freeing ram
    reset_timedout_connection on;
    # maximum time between packets the client can pause when sending nginx any data
    client_body_timeout 10s;
    # maximum time the client has to send the entire header to nginx
    client_header_timeout 10s;
    # timeout which a single keep-alive client connection will stay open
    keepalive_timeout 65s;
    # maximum time between packets nginx is allowed to pause when sending the client data
    send_timeout 10s;

    # number of requests per connection, does not affect SPDY
    keepalive_requests 100; 
  
    # buffers

    fastcgi_buffer_size 128k;
    fastcgi_buffers 256 16k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;

    proxy_buffer_size   128k; 
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

    fastcgi_read_timeout 150;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    types_hash_max_size 2048;
    #postpone_output 0;

    gzip on;
    gzip_vary on;
    gzip_comp_level 2;
    gzip_min_length 1000;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain application/json text/xml application/xml;
    gzip_disable "msie6";

    client_max_body_size 20m;

    # fastcgi cache, caching request without session variable initialized by session_start()
    fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d;
    fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;

    # DDoS Mitigation 
    limit_conn_zone $binary_remote_addr zone=perip:10m;
    limit_conn perip 100;

    limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
    limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s;
    
    include /etc/nginx/conf.d/*.conf;
}

Source

Retrieved from "https://kangtain.com/wiki/index.php?title=Nginx:Optimized_configuration_with_DDoS_mitigation&oldid=5840"