1 2 | 电信单ip防御40g流量攻击/1000w pps,联通单ip防御10g流量攻击/500w pps。 联通防御10G,原因是联通内网管控严格,基本攻击都是从电信来的。 |
1 | sysctl -w net.ipv4.ip_forward=1 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | *nat :PREROUTING ACCEPT [9:496] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d 高防电信IP /32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 源站IP:源站web端口 -A PREROUTING -d 高防联通IP /32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 源站IP:源站web端口 -A POSTROUTING -p tcp -m tcp --dport 源站web端口 -j SNAT --to- source 高防电信IP -A POSTROUTING -p tcp -m tcp --dport 源站web端口 -j SNAT --to- source 高防联通IP COMMIT # Generated by iptables-save v1.4.7 on Wed Feb 22 11:49:17 2017 *filter :INPUT DROP [79:4799] :FORWARD ACCEPT [37:2232] :OUTPUT ACCEPT [150:21620] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 公司机房网段 /24 -p tcp -m multiport --dports 22,10050 -j ACCEPT -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1 /sec -j ACCEPT COMMIT |
1 | --with-http_realip_module |
1 | nginx -V |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | upstream web { server xxx.xxx.xxx.xxx:80; } server { listen 80; server_name notice1.ops.xxx.xxx; client_max_body_size 10M; proxy_read_timeout 30; access_log /var/log/nginx/access_notice .log; error_log /var/log/nginx/error_notice .log; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_redirect off; proxy_headers_hash_max_size 51200; proxy_headers_hash_bucket_size 6400; proxy_pass http: //web ; } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | server { listen 80; server_name notice1.ops.xxx.xxx; index index.html index.htm index.php; root /var/www/html/ ; access_log /var/log/nginx/notice-access .log; error_log /var/log/nginx/notice-error .log; error_page 502 = /502 .html; location ~ .*\.(php|php5)?$ { fastcgi_pass unix: /tmp/php-cgi .sock; fastcgi_index index.php; include fastcgi.conf; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_redirect off; set_real_ip_from xxx.xxx.xxx.xxx; real_ip_header X-Real-IP; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|mp3)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } } |
评论列表