Nginx:Optimized configuration with DDoS mitigation: Difference between revisions
No edit summary |
No edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Paste di <code>/etc/nginx/nginx.conf</code> | Paste di <code>/etc/nginx/nginx.conf</code> | ||
<syntaxhighlight lang="nginx" line="1"> | |||
user nginx; | |||
# one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu | |||
worker_processes 4; | |||
# renice workers to reduce priority compared to system processes for | |||
# machine health. worst case nginx will get ~25% system resources at nice=15 | |||
worker_priority -5; | |||
timer_resolution 100ms; | |||
error_log /var/log/nginx/error.log warn; | |||
pid /var/run/nginx.pid; | |||
worker_rlimit_nofile 100000; | |||
events { | |||
worker_connections 1024; | |||
use epoll; | |||
# Accept as many connections as possible, after nginx gets notification about a new connection. | |||
multi_accept on; | |||
} | |||
http { | |||
server_tokens off; | |||
server_name_in_redirect off; | |||
include /etc/nginx/mime.types; | |||
default_type application/octet-stream; | |||
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |||
'$status $body_bytes_sent "$http_referer" ' | |||
'"$http_user_agent" "$http_x_forwarded_for"'; | |||
access_log /var/log/nginx/access.log main buffer=16k; | |||
access_log off; | |||
# Timeouts, do not keep connections open longer then necessary to reduce | |||
# resource usage and deny Slowloris type attacks. | |||
# reset timed out connections freeing ram | |||
reset_timedout_connection on; | |||
# maximum time between packets the client can pause when sending nginx any data | |||
client_body_timeout 10s; | |||
# maximum time the client has to send the entire header to nginx | |||
client_header_timeout 10s; | |||
# timeout which a single keep-alive client connection will stay open | |||
keepalive_timeout 65s; | |||
# maximum time between packets nginx is allowed to pause when sending the client data | |||
send_timeout 10s; | |||
# number of requests per connection, does not affect SPDY | |||
keepalive_requests 100; | |||
# buffers | |||
fastcgi_buffer_size 128k; | |||
fastcgi_buffers 256 16k; | |||
fastcgi_busy_buffers_size 256k; | |||
fastcgi_temp_file_write_size 256k; | |||
proxy_buffer_size 128k; | |||
proxy_buffers 4 256k; | |||
proxy_busy_buffers_size 256k; | |||
fastcgi_read_timeout 150; | |||
sendfile on; | |||
tcp_nopush on; | |||
tcp_nodelay on; | |||
types_hash_max_size 2048; | |||
#postpone_output 0; | |||
gzip on; | |||
gzip_vary on; | |||
gzip_comp_level 2; | |||
gzip_min_length 1000; | |||
gzip_proxied expired no-cache no-store private auth; | |||
gzip_types text/plain application/json text/xml application/xml; | |||
gzip_disable "msie6"; | |||
client_max_body_size 20m; | |||
# fastcgi cache, caching request without session variable initialized by session_start() | |||
fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d; | |||
fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2; | |||
# DDoS Mitigation | |||
limit_conn_zone $binary_remote_addr zone=perip:10m; | |||
limit_conn perip 100; | |||
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s; | |||
limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s; | |||
include /etc/nginx/conf.d/*.conf; | |||
} | |||
</syntaxhighlight> | |||
==Source== | ==Source== | ||
*[https://gist.github.com/igortik/0130e69a163d14658ef3d013890c8395 github.com] | *[https://gist.github.com/igortik/0130e69a163d14658ef3d013890c8395 github.com] | ||
[[Category:Web Server]] | |||
[[Category:Server]] | |||
[[Category:Tutorial]] | |||