我使用此配置来阻止DOS,就像我的服务器上的洪水一样:
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=sms:10m rate=1r/m;
upstream main_server{
server web_instance_1:8000;
}
server {
limit_req zone=one burst=5;
listen 80;
server_name something.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name something.com;
ssl on;
ssl_certificate /etc/nginx/ssl/chained.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
limit_req zone=one burst=5;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass https://main_server;
}
location /rest/sms {
limit_req zone=sms burst=5;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass https://main_server;
}
location /WebSocket {
limit_req zone=one burst=5;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass https://main_server;
}
}
/WebSocket URL中的我运行一个WebSocket服务器(用Tornado编写)。 limit_req位置中的/WebSocket仅阻止来自客户端的太多 websocket连接。我需要一种方法来阻止 ONE WebSocket连接向服务器发送太多数据包。
目前的配置并不禁止发送大量数据包的单个客户端。
在NGINX或龙卷风中这样做的正确方法是什么?