1
2
|
电信单ip防御40g流量攻击/1000w pps,联通单ip防御10g流量攻击/500w pps。
联通防御10G,原因是联通内网管控严格,基本攻击都是从电信来的。
|
1
|
sysctl -w net.ipv4.ip_forward=1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
*nat
:PREROUTING ACCEPT [9:496]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 高防电信IP
/32
-p tcp -m tcp --dport 80 -j DNAT --to-destination 源站IP:源站web端口
-A PREROUTING -d 高防联通IP
/32
-p tcp -m tcp --dport 80 -j DNAT --to-destination 源站IP:源站web端口
-A POSTROUTING -p tcp -m tcp --dport 源站web端口 -j SNAT --to-
source
高防电信IP
-A POSTROUTING -p tcp -m tcp --dport 源站web端口 -j SNAT --to-
source
高防联通IP
COMMIT
# Generated by iptables-save v1.4.7 on Wed Feb 22 11:49:17 2017
*filter
:INPUT DROP [79:4799]
:FORWARD ACCEPT [37:2232]
:OUTPUT ACCEPT [150:21620]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 公司机房网段
/24
-p tcp -m multiport --dports 22,10050 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1
/sec
-j ACCEPT
COMMIT
|
1
|
--with-http_realip_module
|
1
|
nginx -V
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
upstream web {
server xxx.xxx.xxx.xxx:80;
}
server {
listen 80;
server_name notice1.ops.xxx.xxx;
client_max_body_size 10M;
proxy_read_timeout 30;
access_log
/var/log/nginx/access_notice
.log;
error_log
/var/log/nginx/error_notice
.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
proxy_pass http:
//web
;
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
server {
listen 80;
server_name notice1.ops.xxx.xxx;
index index.html index.htm index.php;
root
/var/www/html/
;
access_log
/var/log/nginx/notice-access
.log;
error_log
/var/log/nginx/notice-error
.log;
error_page 502 =
/502
.html;
location ~ .*\.(php|php5)?$ {
fastcgi_pass unix:
/tmp/php-cgi
.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
set_real_ip_from xxx.xxx.xxx.xxx;
real_ip_header X-Real-IP;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|mp3)$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 12h;
}
}
|