nginx is DDOS protected according to http_user_agent

Little scum · Posted on 12/20/2016 10:37:01 AM

Frontend squid reverse proxy to nginx
nginx is DDOS protected according to http_user_agent
First, review the access logs to identify the characteristics of the suspicious visits found http_user_agent, and then filter them
"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)Cache-Control: no-store, must-revalidate"
if ($http_user_agent ~ must-revalidate) {
return 503;
}
#这样就返回503错误
location = / {
include proxy.conf;
if ( $http_user_agent ~* "MSIE 5.01" ) {
proxy_pass http://www.qq.com;
#access_log /usr/local/nginx/logs/k.log main;
}
proxy_pass http://windows.abc.com;
}
#判断一下user-agent, if it's MSIE 5.01, just throw it to another place, such as pointing to www.qq.com to see if it can resist, haha
proxy_hide_header Cache-Control;
Finally, go back to Cache-Control and visit the page
Now the link is cached to the front-end squid, and the application server will not crash
#########################################################
Detailed description of the parameters of the location module in nginx
Nginx's Location can have the following matches:
1. = Strictly match this query. If found, stop searching.
2. ^~ Match the prefix of the path, if found, stop searching.
3. ~ is a case-sensitive regular match
4. ~* is a case-insensitive match
5. !~ and !~* are case-sensitive and case-insensitive mismatches, respectively

File and directory matching
* -f and !-f are used to determine if a file exists
* -d and !-d are used to determine if a directory exists
* -e and !-e are used to determine if a file or directory exists
* -x and !-x are used to determine whether a file is executable or not

Some of the available global variables
$args
$content_length
$content_type
$document_root
$document_uri
$host
$http_user_agent
$http_cookie
$limit_rate
$request_body_file
$request_method
$remote_addr
$remote_port
$remote_user
$request_filename
$request_uri
$query_string
$scheme
$server_protocol
$server_addr
$server_name
$server_port
$uri

The flag after rewrite can be:
last
break
redirect
permanent

proxy_pass http://localhost:80;
proxy_set_header Host $host;
You can automatically change the domain name information after forwarding

Little scum · Posted on 12/20/2016 10:37:25 AM

The server is affected by cc (the attacker uses the proxy server to generate legitimate requests to the victim host, implement DDOS, and disguise it is called: cc (ChallengeCollapsar). ) attack, nginx can simply deal with it.

Because the useragent of a CC attacker is generally fixed, we use nginx to judge useragatet to handle CC attacks.
In the nginx server configuration

(1) useragent is equal to a certain feature (case insensitive)
if ($http_user_agent ~* OliveHC3){
return 403;
}
(2) useragent contains a certain feature (not case sensitive)
if ($http_user_agent ~* (*OliveHC3*)){
return 403;
}
(3) useragent is an empty feature
if ($http_user_agent ~ ^$){
return 403;
}

In this way, the attack returned to 403.

Little scum · Posted on 12/20/2016 11:03:41 AM

1. $remote_addr and $http_x_forwarded_for are used to record the IP address of the client;
2.$remote_user: Used to record the client user name;
3.$time_local: Used to record the access time and time zone;
4.$request: URL and HTTP protocol used to record requests;
5.$status : Used to record the status of the request; Success is 200,
6.$body_bytes_s ent: Records the size of the main body content of the file sent to the client;
7.$http_referer: used to record visits from the link on that page;
8.$http_user_agent: Record the relevant information of the client browser;

[Web] nginx is DDOS protected according to http_user_agent

Related Posts

Sections viewed