ddos - I found a piece of nginx anti-CC attack configuration on the Internet. Can anyone give a rough explanation?
世界只因有你
世界只因有你 2017-05-16 17:10:02
0
1
835
http{
     ...
     limit_req_zone $cookie_token zone=session_limit:3m rate=1r/s;
     limit_req_zone $binary_remote_addr $uri zone=auth_limit:3m rate=1r/m;
}
location /{
     limit_req zone=session_limit burst=5;
     rewrite_by_lua '
     local random = ngx.var.cookie_random
     if (random == nil) then
         return ngx.redirect("/auth?url=" .. ngx.var.request_uri)
     end
     local token = ngx.md5("opencdn" .. ngx.var.remote_addr .. random)
     if (ngx.var.cookie_token ~= token) then
         return ngx.redirect("/auth?url=".. ngx.var.request_uri)
     end
    ';
}
location /auth {
     limit_req zone=auth_limit burst=1;
     if ($arg_url = "") {
         return403;
     }
     access_by_lua '
         local random = math.random(9999)
         local token = ngx.md5("opencdn" .. ngx.var.remote_addr .. random)
         if (ngx.var.cookie_token ~= token) then
             ngx.header["Set-Cookie"] = {"token=" .. token, "random=" .. random}
             return ngx.redirect(ngx.var.arg_url)
         end
     ';
}

The limit_req_zone $binary_remote_addr $uri zone=auth_limit:3m rate=1r/m; in the code is correct. Are you sure you want to add $uri? (Update limit_req_zone supports multiple variables, so $binary_remote_addr $uri is correct)
If I want to apply it to my nginx, what else should I do besides this code?
Attached is the original post address, I don’t know if it is the original post: http://www.92csz.com/30/1255....

世界只因有你
世界只因有你

reply all(1)
洪涛

This idea is very rough and unreasonable. In principle, it is similar to denying access without entering the account password.
But is this realistic?
For a new user, how is it possible to know his account password. Unless it is pre-allocated, but how can pre-allocation avoid being allocated to an attacker?
The problem is back to its original point.
So this thing is of no use, and it only prevents it to a certain extentCC,但不能防止DDOS.
Why do you say it’s only to a certain extent? Because this cookie must always be given to the user, CC attacks can also get it.

If you really want to try it, you need to install it nginx_lua模块,或者使用openresty.

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template