DDoS攻击是网站运营中常见的威胁,利用Nginx日志可以有效识别和缓解这类攻击。以下是详细的解决方案:
优化日志格式:
log_format ddos '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'Request_Time=$request_time '
'Upstream_Time=$upstream_response_time';
启用访问日志:
access_log /var/log/nginx/access.log ddos;
使用GoAccess实时监控:
goaccess /var/log/nginx/access.log -a
AWK快速分析:
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -20
限制请求速率:
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
server {
location / {
limit_req zone=one burst=5;
}
}
限制并发连接数:
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
location / {
limit_conn addr 10;
}
}
屏蔽恶意IP:
location / {
deny 192.168.1.1;
allow all;
}
自动封禁高频访问IP:
#!/bin/bash
LIMIT=100
LOG_FILE="/var/log/nginx/access.log"
TEMP_IP_LIST="/tmp/ip_list.txt"
awk '{print $1}' $LOG_FILE | sort | uniq -c | sort -nr > $TEMP_IP_LIST
while read -r line; do
COUNT=$(echo $line | awk '{print $1}')
IP=$(echo $line | awk '{print $2}')
if [ $COUNT -gt $LIMIT ]; then
iptables -A INPUT -s $IP -j DROP
echo "$(date) - Blocked IP: $IP with $COUNT requests" >> /var/log/ddos.log
fi
done < $TEMP_IP_LIST
设置cron定时任务:
*/10 * * * * /path/to/ddos_protection.sh
使用Fail2Ban:
启用Nginx Plus的DDoS防护模块(商业版功能)
结合Cloudflare等CDN服务:
conf
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
postrotate
/etc/init.d/nginx reload > /dev/null
endscript
}通过以上方法,您可以有效利用Nginx日志识别和缓解DDoS攻击。对于大规模攻击,建议结合多层防护策略,包括硬件防火墙、CDN服务和云防护解决方案。