Nginx:Optimized configuration with DDoS mitigation: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Paste di <code>/etc/nginx/nginx.conf</code> | Paste di <code>/etc/nginx/nginx.conf</code> | ||
<syntaxhighlight lang="nginx"> | |||
user nginx; | |||
# one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu | |||
worker_processes 4; | |||
# renice workers to reduce priority compared to system processes for | |||
# machine health. worst case nginx will get ~25% system resources at nice=15 | |||
worker_priority -5; | |||
timer_resolution 100ms; | |||
error_log /var/log/nginx/error.log warn; | |||
pid /var/run/nginx.pid; | |||
worker_rlimit_nofile 100000; | |||
events { | |||
worker_connections 1024; | |||
use epoll; | |||
# Accept as many connections as possible, after nginx gets notification about a new connection. | |||
multi_accept on; | |||
} | |||
http { | |||
server_tokens off; | |||
server_name_in_redirect off; | |||
include /etc/nginx/mime.types; | |||
default_type application/octet-stream; | |||
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |||
'$status $body_bytes_sent "$http_referer" ' | |||
'"$http_user_agent" "$http_x_forwarded_for"'; | |||
access_log /var/log/nginx/access.log main buffer=16k; | |||
access_log off; | |||
# Timeouts, do not keep connections open longer then necessary to reduce | |||
# resource usage and deny Slowloris type attacks. | |||
# reset timed out connections freeing ram | |||
reset_timedout_connection on; | |||
# maximum time between packets the client can pause when sending nginx any data | |||
client_body_timeout 10s; | |||
# maximum time the client has to send the entire header to nginx | |||
client_header_timeout 10s; | |||
# timeout which a single keep-alive client connection will stay open | |||
keepalive_timeout 65s; | |||
# maximum time between packets nginx is allowed to pause when sending the client data | |||
send_timeout 10s; | |||
# number of requests per connection, does not affect SPDY | |||
keepalive_requests 100; | |||
# buffers | |||
fastcgi_buffer_size 128k; | |||
fastcgi_buffers 256 16k; | |||
fastcgi_busy_buffers_size 256k; | |||
fastcgi_temp_file_write_size 256k; | |||
proxy_buffer_size 128k; | |||
proxy_buffers 4 256k; | |||
proxy_busy_buffers_size 256k; | |||
fastcgi_read_timeout 150; | |||
sendfile on; | |||
tcp_nopush on; | |||
tcp_nodelay on; | |||
types_hash_max_size 2048; | |||
#postpone_output 0; | |||
gzip on; | |||
gzip_vary on; | |||
gzip_comp_level 2; | |||
gzip_min_length 1000; | |||
gzip_proxied expired no-cache no-store private auth; | |||
gzip_types text/plain application/json text/xml application/xml; | |||
gzip_disable "msie6"; | |||
client_max_body_size 20m; | |||
# fastcgi cache, caching request without session variable initialized by session_start() | |||
fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d; | |||
fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2; | |||
# DDoS Mitigation | |||
limit_conn_zone $binary_remote_addr zone=perip:10m; | |||
limit_conn perip 100; | |||
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s; | |||
limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s; | |||
include /etc/nginx/conf.d/*.conf; | |||
} | |||
</syntaxhighlight> | |||
==Source== | ==Source== | ||
Revision as of 12:01, 22 September 2022
Paste di /etc/nginx/nginx.conf
user nginx;
# one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu
worker_processes 4;
# renice workers to reduce priority compared to system processes for
# machine health. worst case nginx will get ~25% system resources at nice=15
worker_priority -5;
timer_resolution 100ms;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_rlimit_nofile 100000;
events {
worker_connections 1024;
use epoll;
# Accept as many connections as possible, after nginx gets notification about a new connection.
multi_accept on;
}
http {
server_tokens off;
server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=16k;
access_log off;
# Timeouts, do not keep connections open longer then necessary to reduce
# resource usage and deny Slowloris type attacks.
# reset timed out connections freeing ram
reset_timedout_connection on;
# maximum time between packets the client can pause when sending nginx any data
client_body_timeout 10s;
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 65s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
# number of requests per connection, does not affect SPDY
keepalive_requests 100;
# buffers
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
fastcgi_read_timeout 150;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
#postpone_output 0;
gzip on;
gzip_vary on;
gzip_comp_level 2;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/json text/xml application/xml;
gzip_disable "msie6";
client_max_body_size 20m;
# fastcgi cache, caching request without session variable initialized by session_start()
fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d;
fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;
# DDoS Mitigation
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn perip 100;
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s;
include /etc/nginx/conf.d/*.conf;
}