Nginx安全相关配置-防止压力测试工具
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.搭建web服务器提供正常访问
1>.编辑主配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf worker_processes 4; worker_cpu_affinity 00000001 00000010 00000100 00001000; events { worker_connections 100000; use epoll; accept_mutex on; multi_accept on; } http { include mime.types; default_type text/html; server_tokens off; charset utf-8; log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_ti me,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}'; access_log logs/access_json.log my_access_json; ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt; ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; include /yinzhengjie/softwares/nginx/conf.d/*.conf; } [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -t nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
2>.编辑子配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf server { listen 80; listen 443 ssl; server_name node101.yinzhengjie.org.cn; access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json; error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log; location / { root /yinzhengjie/data/web/nginx/static/cn; index index.html; } location = /favicon.ico { root /yinzhengjie/data/web/nginx/images/jd; } } [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -t nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful [root@node101.yinzhengjie.org.cn ~]#
3>.准备测试数据
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/{static,images}
mkdir: created directory ‘/yinzhengjie/data/web/nginx’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/images’
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/static/cn/css
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn’
mkdir: created directory ‘/yinzhengjie/data/web/nginx/static/cn/css’
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/images/jd
mkdir: created directory ‘/yinzhengjie/data/web/nginx/images/jd’
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /yinzhengjie/data/web/nginx/static/cn/css/
total 1004
-rw-r--r-- 1 root root 1025154 Dec 24 18:29 01.png
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/static/cn/index.html
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>node101.yinzhengjie.org.cn</title>
<style type="text/css">
/*清除所有标签的默认样式*/
*{
padding: 0;
margin: 0;
}
.box1{
1215px;
height: 700px;
background-image: url(css/01.png);
}
p{
color: red;
font-size: 32px;
font-weight: bold;
font-family: "arial","华文彩云","微软雅黑",serif;
}
</style>
</head>
<body>
<p>这是"node101.yinzhengjie.org.cn"的首页</p>
<div class="box1"></div>
</body>
</html>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# wget https://www.jd.com/favicon.ico -O /yinzhengjie/data/web/nginx/images/jd/favicon.ico #此处我们从网上下载一张图片作为标签的logo
--2019-12-24 18:51:03-- https://www.jd.com/favicon.ico
Resolving www.jd.com (www.jd.com)... 220.194.105.131, 2408:8710:20:1140:8000::3
Connecting to www.jd.com (www.jd.com)|220.194.105.131|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25214 (25K) [image/x-icon]
Saving to: ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’
100%[==================================================================================================================================>] 25,214 --.-K/s in 0s
2019-12-24 18:51:09 (404 MB/s) - ‘/yinzhengjie/data/web/nginx/images/jd/favicon.ico’ saved [25214/25214]
[root@node101.yinzhengjie.org.cn ~]#
4>.启动nginx服务
[root@node101.yinzhengjie.org.cn ~]# netstat -untalp | grep nginx [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# netstat -untalp | grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 24954/nginx: master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 24954/nginx: master [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
5>.浏览器访问"https://node101.yinzhengjie.org.cn/",如下图所示
6>.查看nginx的日志信息
二.使用ab命令对服务器进行压力测试
1>.安装apache的压力测试工具
[root@node101.yinzhengjie.org.cn ~]# yum -y install http-tools Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.tuna.tsinghua.edu.cn * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirrors.tuna.tsinghua.edu.cn base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 No package http-tools available. Error: Nothing to do [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# yum -y install httpd-tools Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.tuna.tsinghua.edu.cn * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirrors.tuna.tsinghua.edu.cn Resolving Dependencies --> Running transaction check ---> Package httpd-tools.x86_64 0:2.4.6-90.el7.centos will be installed --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.4.8-5.el7 will be installed ---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================================== Package Arch Version Repository Size ===================================================================================================================================================== Installing: httpd-tools x86_64 2.4.6-90.el7.centos base 91 k Installing for dependencies: apr x86_64 1.4.8-5.el7 base 103 k apr-util x86_64 1.5.2-6.el7 base 92 k Transaction Summary ===================================================================================================================================================== Install 1 Package (+2 Dependent packages) Total download size: 286 k Installed size: 584 k Downloading packages: apr-util-1.5.2-6.el7.x86_64.rp FAILED http://mirror.lzu.edu.cn/centos/7.7.1908/os/x86_64/Packages/apr-util-1.5.2-6.el7.x86_64.rpm: [Errno 14] curl#56 - "Recv failure: Connection reset by peer"Trying other mirror. (1/3): apr-1.4.8-5.el7.x86_64.rpm | 103 kB 00:00:00 (2/3): httpd-tools-2.4.6-90.el7.centos.x86_64.rpm | 91 kB 00:00:00 (3/3): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:06 ----------------------------------------------------------------------------------------------------------------------------------------------------- Total 44 kB/s | 286 kB 00:00:06 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-5.el7.x86_64 1/3 Installing : apr-util-1.5.2-6.el7.x86_64 2/3 Installing : httpd-tools-2.4.6-90.el7.centos.x86_64 3/3 Verifying : apr-1.4.8-5.el7.x86_64 1/3 Verifying : httpd-tools-2.4.6-90.el7.centos.x86_64 2/3 Verifying : apr-util-1.5.2-6.el7.x86_64 3/3 Installed: httpd-tools.x86_64 0:2.4.6-90.el7.centos Dependency Installed: apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7 Complete! [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rpm -qi httpd-tools Name : httpd-tools Version : 2.4.6 Release : 90.el7.centos Architecture: x86_64 Install Date: Tue 24 Dec 2019 07:51:40 PM CST Group : System Environment/Daemons Size : 172756 License : ASL 2.0 Signature : RSA/SHA256, Fri 23 Aug 2019 05:25:34 AM CST, Key ID 24c6a8a7f4a80eb5 Source RPM : httpd-2.4.6-90.el7.centos.src.rpm Build Date : Thu 08 Aug 2019 07:43:53 PM CST Build Host : x86-01.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://httpd.apache.org/ Summary : Tools for use with the Apache HTTP Server Description : The httpd-tools package contains tools which can be used with the Apache HTTP Server. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rpm -ql httpd-tools /usr/bin/ab /usr/bin/htdbm /usr/bin/htdigest /usr/bin/htpasswd /usr/bin/httxt2dbm /usr/bin/logresolve /usr/share/doc/httpd-tools-2.4.6 /usr/share/doc/httpd-tools-2.4.6/LICENSE /usr/share/doc/httpd-tools-2.4.6/NOTICE /usr/share/man/man1/ab.1.gz /usr/share/man/man1/htdbm.1.gz /usr/share/man/man1/htdigest.1.gz /usr/share/man/man1/htpasswd.1.gz /usr/share/man/man1/httxt2dbm.1.gz /usr/share/man/man1/logresolve.1.gz [root@node101.yinzhengjie.org.cn ~]#
2>.使用ab命令对"http://node101.yinzhengjie.org.cn"进行压力测试
[root@node101.yinzhengjie.org.cn ~]# ab -n100000 -c 2000 http://node101.yinzhengjie.org.cn/ This is ApacheBench, Version 2.3 <$Revision: 1430300 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking node101.yinzhengjie.org.cn (be patient) Completed 10000 requests Completed 20000 requests Completed 30000 requests Completed 40000 requests Completed 50000 requests Completed 60000 requests Completed 70000 requests Completed 80000 requests Completed 90000 requests Completed 100000 requests Finished 100000 requests Server Software: yinzhengjie2019 Server Hostname: node101.yinzhengjie.org.cn Server Port: 80 Document Path: / Document Length: 566 bytes Concurrency Level: 2000 Time taken for tests: 4.498 seconds Complete requests: 100000 Failed requests: 0 Write errors: 0 Total transferred: 81700000 bytes HTML transferred: 56600000 bytes Requests per second: 22229.87 [#/sec] (mean) Time per request: 89.969 [ms] (mean) Time per request: 0.045 [ms] (mean, across all concurrent requests) Transfer rate: 17736.14 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 53 286.1 0 3018 Processing: 1 11 37.6 8 1319 Waiting: 0 11 37.3 8 1310 Total: 1 64 294.6 8 3429 Percentage of the requests served within a certain time (ms) 50% 8 66% 9 75% 9 80% 9 90% 12 95% 36 98% 1020 99% 1298 100% 3429 (longest request) [root@node101.yinzhengjie.org.cn ~]# 温馨提示,
关于以上参数的说明可参考我之前的笔记,https://www.cnblogs.com/yinzhengjie/p/6204049.html。
3>.查看node101.yinzhengjie.org.cn站点日志信息
三.防止测试工具压力测试配置
1>.编辑"node101.yinzhengjie.org.cn"站点的配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/node101_yinzhengjie_org.cn.conf server { listen 80; listen 443 ssl; server_name node101.yinzhengjie.org.cn; access_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log my_access_json; error_log /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_error.log; location / { root /yinzhengjie/data/web/nginx/static/cn; index index.html; #定义有效的请求referer,用空格隔开即可 valid_referers none blocked server_names *.baidu.com example.* ~.google.; #如果没有在上面的有效链接定义那么均属于无效请求referer if ($invalid_referer) { return 403; } #如果是一些常见的压测试工具,咱们直接进给他拒绝访问 if ($http_user_agent ~ "ApacheBench|WebBench|TurnitinBot|Sougou web spider|Grid Server"){ return 403; } } location = /favicon.ico { root /yinzhengjie/data/web/nginx/images/jd; } } [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -t nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful [root@node101.yinzhengjie.org.cn ~]#
2>.重新加载配置文件
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep root 24954 1 0 18:44 ? 00:00:00 nginx: master process nginx nginx 25710 24954 0 19:37 ? 00:00:00 nginx: worker process nginx 25711 24954 0 19:37 ? 00:00:01 nginx: worker process nginx 25712 24954 0 19:37 ? 00:00:01 nginx: worker process nginx 25713 24954 0 19:37 ? 00:00:00 nginx: worker process [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -s reload [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep root 24954 1 0 18:44 ? 00:00:00 nginx: master process nginx root 25780 22439 0 19:58 pts/2 00:00:00 tail -10f /yinzhengjie/softwares/nginx/logs/node101_yinzhengjie_org_cn_access.log nginx 25796 24954 0 20:09 ? 00:00:00 nginx: worker process nginx 25797 24954 0 20:09 ? 00:00:00 nginx: worker process nginx 25798 24954 0 20:09 ? 00:00:00 nginx: worker process nginx 25799 24954 0 20:09 ? 00:00:00 nginx: worker process [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
3>.再一次使用ab命令进行攻击,如下图所示,发现无法使用ab命令进行攻击了
[root@node101.yinzhengjie.org.cn ~]# ab -n100000 -c 2000 http://node101.yinzhengjie.org.cn/ This is ApacheBench, Version 2.3 <$Revision: 1430300 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking node101.yinzhengjie.org.cn (be patient) Completed 10000 requests Completed 20000 requests Completed 30000 requests Completed 40000 requests Completed 50000 requests Completed 60000 requests Completed 70000 requests Completed 80000 requests Completed 90000 requests apr_socket_recv: Connection reset by peer (104) Total of 99715 requests completed [root@node101.yinzhengjie.org.cn ~]#
4>.查看node101.yinzhengjie.org.cn站点日志信息
5>.