-
-
Notifications
You must be signed in to change notification settings - Fork 307
Additional Nginx Config DDoS Protection
The script will do a very good job at protecting/hardening your Nginx server from attacks.
For those wanting to go a step further and really lock down their Nginx here is some nginx config values you should definetly apply.
# You must set worker processes based on your CPU cores,
# nginx does not benefit from setting worker_processes to more than number of cores you have
worker_processes auto; #Best option let nginx calculate it automatically
# Just make sure you have more than 1 worker process so in the event,
# the worker is at full capacity another can take up the slack
# number of file descriptors used for nginx
# the limit for the maximum FDs on the server is usually set by the OS.
# if you don't set FD's then OS settings will be used which is by default 2000
worker_rlimit_nofile 100000; #Increase from default make sure it is more than worker_connections
events {
#Max number of connections per each nginx worker process
#by default this is 512 very low especially when under attack
worker_connections 8192;
# max value 32768, nginx recycling connections =
# this.value * 20 = max concurrent connections currently tested with one worker
# C1000K should be possible depending there is enough ram/cpu power on your server
multi_accept on;
}
http {
#Inside your HTTP block
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k; #Increase me if you allow file uploads or large post sizes on forums
large_client_header_buffers 2 1k;
}
http {
#Inside your HTTP block
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on; #default is off this really should be on
client_body_timeout 5s; #default is 60
client_header_timeout 5s; #default is 60
send_timeout 5; #default is 60
keepalive_timeout 30; #default is 60
keepalive_requests 10; #default is 1000
}
http {
#Inside your HTTP block
# cache informations about FDs, frequently accessed files
open_file_cache max=1000 inactive=20s; # Not to high but not too low either
open_file_cache_valid 30s;
}
http {
#Inside your HTTP block
# http://nginx.org/en/docs/ngx_core_module.html#pcre_jit
pcre_jit on;
}
If you have allot of websites and subdomains you should use these values the default values are too low
http {
#Inside your HTTP block
server_names_hash_bucket_size 128; #the name of website like subdomain.domain.co.uk
map_hash_bucket_size 64; #map variables if you use map directives
}
GZIP is a CPU intensive task imagine recieving 100,000 requests in 1 second and trying to compress the response. By default when under attack the script will turn off GZIP automatically but if you want to feel extra safe you can turn it off yourself like this.
http {
#Inside your HTTP block
gzip off;
}
On areas of nginx / paths or domains you may not have placed the antiddos script to protect the server will tell users what version it is and attackers can use that information as an advantage.
http {
#Inside your HTTP block
server_tokens off;
}