DDOS protection with Nginx and Cloudflare


nginx

Method 1:

Step 1: Get all IP range of cloudflare:
https://www.cloudflare.com/ips-v4
and
https://www.cloudflare.com/ips-v6

You see:

103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/12
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
173.245.48.0/20
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17

and

2400:cb00::/32
2405:b500::/32
2606:4700::/32
2803:f800::/32
2c0f:f248::/32
2a06:98c0::/29

Step 2: Config Nginx

http {
...
	set_real_ip_from   103.21.244.0/22;
	set_real_ip_from   103.22.200.0/22;
	set_real_ip_from   103.31.4.0/22;
	set_real_ip_from   104.16.0.0/12;
	set_real_ip_from   108.162.192.0/18;
	set_real_ip_from   131.0.72.0/22;
	set_real_ip_from   141.101.64.0/18;
	set_real_ip_from   162.158.0.0/15;
	set_real_ip_from   172.64.0.0/13;
	set_real_ip_from   173.245.48.0/20;
	set_real_ip_from   188.114.96.0/20;
	set_real_ip_from   190.93.240.0/20;
	set_real_ip_from   197.234.240.0/22;
	set_real_ip_from   198.41.128.0/17;
	set_real_ip_from   2400:cb00::/32;
	set_real_ip_from   2405:b500::/32;
	set_real_ip_from   2606:4700::/32;
	set_real_ip_from   2803:f800::/32;
	set_real_ip_from   2c0f:f248::/32;
	set_real_ip_from   2a06:98c0::/29;
	real_ip_header     CF-Connecting-IP;

# limit the number of connections per single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
# limit the number of requests for a given session
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=100r/s;
...
server {
...
location /{
...
# zone which we want to limit by upper values, we want limit whole server
limit_conn conn_limit_per_ip 100;
limit_req zone=req_limit_per_ip burst=300 nodelay;
...

Method 2:
Config Nginx:

http {
...
# limit the number of requests for a given session
limit_req_zone  "$http_x_forwarded_for" zone=zone:10m rate=100r/s;
...
server {
...
location /{
...
            limit_req zone=zone burst=5;
...

Recent search terms:

  • защита от ddos nginx как на cloudflare

Leave a Reply