ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 


  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА












     АРХИВ :: nginx-ru
Nginx-ru mailing list archive (nginx-ru@sysoev.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: бан или заворот айпи на страницу заглушку


  • To: nginx-ru@xxxxxxxxx
  • Subject: Re: бан или заворот айпи на страницу заглушку
  • From: Илья Шипицин <chipitsine@xxxxxxxxx>
  • Date: Mon, 28 Mar 2011 15:22:13 +0600
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=GYgakgP1eKzH6tE9hbuWArmPIm78JkA1JNBYm1VJofQ=; b=VVzIpCXL7SJgvJFMUFE019W84hshI2p2Lhj0D+03YXJwg/jBrBsUxabbx+pDkixUOU gZDjelxw35bYknRo5E15HOlaCAFjSWiWIaXPkq5tkCaFwVGJD0L4/5PbjMrZRkN65hwJ 7udlfumWE5yyX0aNCynpSEd0zJGmXSMbdH6iY=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=LWYOU63tKTBfC8c48CZoQR5uLCqUKQSakf2gH3btqOxlwxRJQOJykKUxAyy4rmXAEs MyzBr4z/BxbeUk0H9R0Va3wFcS6HbvR53EVGR7clinGExi9fg4xbV7nTghipEZZRoThA mOHB8Hc1GglWQqy5yfpwrj+MYPCv9fthsxO2Y=
  • In-reply-to: <4D9041CA.9060203@xxxxxxxxx>
  • References: <4D8EC5C4.7090002@xxxxxxx> <BANLkTi=jN8_Nfhr-S930qkchLfxTms5ELQ@xxxxxxxxxxxxxx> <4D9041CA.9060203@xxxxxxxxx>

ну я только идею обрисовал. реализация следующая (ключ в зависимости от специфики приложения)

http {
.........
    limit_req_zone  $uniq  zone=uniq:10m   rate=1r/s;



......

        server {
.........
            set  $uniq $binary_remote_addr$cookie_PHPSESSIONID$uri;
            limit_req zone=uniq burst=1;




2011/3/28 Алексей Масленников <minisotm@xxxxxxxxx>
Что-то не пашет, или может я не догоняю.

Говорит:

Restarting nginx: [emerg]: unknown "binary_remote_addr$request_uri$referer" variable

On 27.03.2011 10:48, Илья Шипицин wrote:
все правильно, только я бы расширил ключ, скажем, до

limit_zone http $binary_remote_addr$request_uri$referer 1m;

а количество соединений уменьшил до 1

2011/3/27 Maxim Ponomarchuk <ponomarchuk_m@xxxxxxx>
Друзья.

Есть сервер под управлением Debian.
Периодически появляется проблема связанная с тем что с одного айпи начинает валится уйма запросов к серверу + из-за этого вырастает LA .

Например:

cat  production.log | grep 178.95.42.226

Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:05) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:06) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:07) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:08) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:08) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:09) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:10) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:11) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:11) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:12) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:13) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:14) [GET]
Processing ApplicationController#index (for 178.95.42.226 at 2011-03-27 07:56:15) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:15) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:16) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:16) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:17) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:22) [GET]
Processing AdvertisementsController#show (for 178.95.42.226 at 2011-03-27 07:56:22) [GET]
Processing AdvertisementsController#show (for 178.95.42.226 at 2011-03-27 07:56:24) [GET]
Processing AdvertisementsController#show (for 178.95.42.226 at 2011-03-27 07:56:26) [GET]
Processing AdvertisementsController#show (for 178.95.42.226 at 2011-03-27 07:56:27) [GET]
Processing AdvertisementsController#show (for 178.95.42.226 at 2011-03-27 07:56:28) [GET]
Processing AdvertisementsController#show (for 178.95.42.226 at 2011-03-27 07:56:30) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:31) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:32) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:33) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:34) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:35) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:35) [GET]
Processing DataController#url_redirect (for 178.95.42.226 at 2011-03-27 07:56:36) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:36) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:36) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:37) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:37) [GET]
Processing DataController#url_redirect (for 178.95.42.226 at 2011-03-27 07:56:38) [GET]
Processing DataController#index (for 178.95.42.226 at 2011-03-27 07:56:39) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:39) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:40) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:40) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:41) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:42) [GET]
Processing AdvertisementsController#upgrade (for 178.95.42.226 at 2011-03-27 07:56:43) [GET]

В настройках nginx поставил лимит


limit_zone http $binary_remote_addr 1m;
limit_conn   http  10;

При тесте Siege  - nginx успешно дропает соединения больше 10 в единый момент времени.

В моем же случае такое условие не совпадает.
Можно ли как сделать так - если с одного айпи в течении минуты есть больше 30 обращений к серверу - то заворачивать злодея на страничку - заглушку?
Или  как с таким бороться?



_______________________________________________
nginx-ru mailing list
nginx-ru@xxxxxxxxx
http://nginx.org/mailman/listinfo/nginx-ru


_______________________________________________ nginx-ru mailing list nginx-ru@xxxxxxxxx http://nginx.org/mailman/listinfo/nginx-ru


_______________________________________________
nginx-ru mailing list
nginx-ru@xxxxxxxxx
http://nginx.org/mailman/listinfo/nginx-ru


_______________________________________________
nginx-ru mailing list
nginx-ru@xxxxxxxxx
http://nginx.org/mailman/listinfo/nginx-ru


 




Copyright © Lexa Software, 1996-2009.