En cours

Nginx optimization and security

I have centos with Nginx installed to work as reverse proxy, the issue is Nginx stop response on huge traffic on SSL port even the traffic dropped. example:

nginx configured to listed on [url removed, login to view] on port 80 and 443, in below example, the nginx rule drop connection when User-Agent is around IE6(this is example). when start to make test ddos attack on this config using UA=IE6, on http port, the attack mitigate as well and all attack connection drop very fast,you never feel nginx become slow or anything, no Waiting connections or else, no issue here, but when do same on SSL port, the Nginx stop response on SSL port while it is still response on Http port. when i tried ss command it show listen Queue is full. while HTTP use same backlog size(511).

LISTEN 512 511 [url removed, login to view]

i tried to use backlog in nginx listen and increased backlog to 50000(less than [url removed, login to view]) but after start attack, the Queue will be full less than 30 seconds, the number of IP used to test attack is around 10000 IPs.

i found nginx stop response on SSL port due to listen backlog is full on SSL port while it can response on HTTP because it is not full yet, but i dont understand, i used same config and same rules in Server block to Drop connection on special rule. normally nginx should drop connection on both HTTP and SSL port. but on SSL port it keep connection as CLOSE_WAIT OR LAST_ACK,

example of conf:

server {

listen [url removed, login to view];

server_name [url removed, login to view];

location / {

if ($http_user_agent ~* "IE6" ) {

return 444;

}

return 200 "default page";

add_header Content-Type text/html;

}

}

server {

listen [url removed, login to view] ssl;

server_name [url removed, login to view];

ssl_certificate [url removed, login to view];

ssl_certificate_key [url removed, login to view];

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

ssl_session_cache shared:SSL:500m;

ssl_session_timeout 10m;

location / {

if ($http_user_agent ~* "IE6" ) {

return 444;

}

return 200 "default page";

add_header Content-Type text/html;

}

}

example of [url removed, login to view]:

net.ipv4.ip_local_port_range = 18000 65535

net.ipv4.tcp_max_syn_backlog = 65535

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_timestamps = 1

net.ipv4.tcp_no_metrics_save = 1

net.ipv4.tcp_moderate_rcvbuf = 1

[url removed, login to view] = 65535

net.core.netdev_max_backlog = 65535

#

net.nf_conntrack_max = 500000

net.netfilter.nf_conntrack_max = 500000

net.netfilter.nf_conntrack_tcp_timeout_established = 900

net.netfilter.nf_conntrack_generic_timeout = 30

net.netfilter.nf_conntrack_tcp_timeout_close = 30

net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30

net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30

net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30

net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 30

net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 30

net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30

#

net.ipv4.tcp_max_tw_buckets = 500000

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_rfc1337 = 1

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_synack_retries = 1

#

net.ipv4.tcp_slow_start_after_idle = 0

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 30

net.ipv4.tcp_keepalive_intvl = 30

net.ipv4.tcp_keepalive_probes = 30

#

net.core.rmem_max = 33554432

net.core.wmem_max = 33554432

net.ipv4.tcp_rmem = 10240 87380 33554432

net.ipv4.tcp_wmem = 10240 87380 33554432

Please dont offer if you are newbie of Nginx, i need professional experts. dont need those search google for nginx config. need professional advise.

I need someone to solve this issue and help me configure nginx to work as reserve proxy and serve 1000 websites.

Compétences : Linux, Nginx

Voir plus : windows server security optimization, security apache nginx, tcp optimization nginx, mysql optimization nginx, sql server rules engine, nginx optimization cpanel, nginx wordpress optimization, joomla security optimization, nginx php optimization, optimization nginx wordpress, nginx security windows, nginx streaming server, nginx optimization, webmin nginx web server, nginx php security, linux nginx ftp server, nginx panel server, nginx security

Concernant l'employeur :
( 5 commentaires ) London, United Kingdom

N° du projet : #12725788

Décerné à :

pdq

Hello, thank you for inviting me to your project I currently work in a datacenter as a linux servers administrator, so i believe my skills are quite enough to solve your problem. any kind of linux work is my daily rou Plus

55 $ USD en 3 jours
(95 Commentaires)
5.7

7 freelance ont fait une offre moyenne de 142 $ pour ce travail

odessky

Hello! My name is Andrey. I'm from Odessa, Ukraine. I have right skills and great experience for begin working on your project just right now! You may show good reviews at my profile https://www.freelancer.com/u/odessk Plus

150 $ USD en 3 jours
(200 Commentaires)
6.7
codetrance

Does your server have any control panel on board?. I'm lokoing forwards to your response. Thank you.

110 $ USD en 1 jour
(131 Commentaires)
6.2
linuxsupport

Hi, I have 15 years of experience in Linux systems, worked with various flavours like CentOS, Ubuntu, Debian, Suse. I have extensive knowledge on Apache, Nginx, HAProxy, Varnish etc. I can work with you solve you Plus

250 $ USD en 3 jours
(59 Commentaires)
6.0
dkokmadis

Hi, Can you provide me access to server so I can check logs?

50 $ USD en 3 jours
(108 Commentaires)
5.6
leopedia

We have own server data center (small) to run our client website and sell hosting service we can help you 100% let us know . We have been preferred freelancer and 100% satisfaction check our profile.Let us know we can Plus

225 $ USD en 1 jour
(2 Commentaires)
4.8
155 $ USD en 3 jours
(28 Commentaires)
4.6