About laravel and nginx current limiting strategies to prevent malicious requests

Time:2021-8-14

1、 Problem background

Recently, the CPU coverage of the company’s recent online servers is often too high, which affects the response timeout of some applications, resulting in a large number of SMS and email alarms. After checking the database log and access.log, it is found that the API interface is brushed and maliciously and madly requested, with a maximum of about 120 times / s.

I haven’t had much experience in this area before, and the handling is not very smooth. This problem just woke up. After this problem exposure, I’ll record the solutions and strategies.

The online deployment scheme is nginx + laravel.

First, we try to start from the nginx level, which will occupy less memory consumption, and there is no need to forward it to PHP FPM for processing.

2、 (malicious) request characteristics

If you want good features, you must capture certain features to effectively control malicious requests.

  1. In a short time, IP generates a large number of requests for an interface
  2. user_ Agent, abnormal information or empty
  3. Requests are much higher than usual.

3、 Current limiting strategy (nginx)

Limit requests

First, it controls the number of requests and IP connections in a single IP time. The configuration is as follows:

http {
    limit_req_zone $binary_remote_addr zone=one:1m rate=1r/s;

    server {
        location /api/ {
            limit_req zone=one burst=5;
        }
    }
}

limit_ req_ The zone mainly controls the request rate of a single IP and uses the leaky bucket algorithm to complete the limit_ req_ Zone size is mainly used to store the request information of statistical IP. 1m can store 16000 IPS. When the number of requests per second exceeds 16000, other accesses will be accessed, and the 503 service is temporarily unavailable.

The above template is set with a maximum of 1 request per second and a maximum of 5 delayed requests.

If the response time of each interface of our server is 200ms-300ms, our corresponding limit per second should be set to1000ms / interface response time

Limit concurrent connections

After limiting the frequency of user requests, if there are still large malicious requests, we can also limit the number of concurrent requests.

http {
    limit_conn_zone $binary_remote_addr zone=one:1m;

    server {
        location /api/ {
           limit_conn one 10;
        }
    }
}

limit_ conn_ Zone: it is mainly used to control the number of concurrent requests. The frequency should not be too fast.

limit_ conn_ Zone size and limit_ req_ Zone has the same meaning and can be dynamically adjusted as needed. In the above case, it means that the maximum number of concurrent connections per client IP is limited to 10.

Set IP blacklist

When an IP request is too frequent or access to the IP needs to be completely eliminated, IP access in the blacklist can be prohibited through the deny configuration of nginx.

http {
    include blockip.conf; 
}

Blacklist configuration

deny 195.91.112.66;
deny 192.168.2.100;

After being added to the blacklist, 403 Forbidden access will appear when you visit again
About laravel and nginx current limiting strategies to prevent malicious requests

Restrict UA (user agent) information

http {
    server {
        if ($http_user_agent ~* "curl") {
          return 403;
        }
    }
}

The above prohibits clients whose UA information is curl, and directly returns 403.

Multiple UAS are forbidden to be separated by |.

if ($http_user_agent ~* "curl|wget") {
    return 403;
}

(4) . current limiting strategy (laravel)

In our laravel project, there is aThrottleMiddleware, which can effectively suppress malicious requests from users on the application layer, is configured as follows:

Route::group(['middleware' => 'throttle:30:1'],function(){
    Route::any('/login', '[email protected]');
});

In the throttle configuration, the first parameter controls the number of requests, and the second parameter controls the request frequency. The above configuration shows that each client IP can request up to 30 times per minuteloginroute.

When the client IP exceeds the request limit, the server will return429 Too Many Attempts.response

Recommended Today

Java Engineer Interview Questions

The content covers: Java, mybatis, zookeeper, Dubbo, elasticsearch, memcached, redis, mysql, spring, spring boot, springcloud, rabbitmq, Kafka, Linux, etcMybatis interview questions1. What is mybatis?1. Mybatis is a semi ORM (object relational mapping) framework. It encapsulates JDBC internally. During development, you only need to pay attention to the SQL statement itself, and you don’t need to […]