Configuration Examples
Example configuration for L7 DDoS Mitigation
Configuration File
http {
#nginxOriginal configuration
#Define a 10MB memory for SEnginx access statistics
statistics_zone 10m;
#Open the global IP blacklist
ip_blacklist on;
#Number of IPs stored
ip_blacklist_size 10240;
#IP in the blacklist retention time (seconds)
ip_blacklist_timeout 120;
#List saved in SEnginx
ip_blacklist_mode local;
#Define a token space with a capacity of 10MB, each address can only be requested 10 times per second (replenish 10 tokens per second)
limit_req_zone $binary_remote_addr zone=mudoom:10m rate=10r/s;
#Define a behavior recognition space with a capacity of 10MB, the minimum number of valid requests is 10, and the sampling period is 2 seconds
ip_behavior_zone zone=brand:10m sample_base=10 sample_cycle=2s;
#Define IP whitelist
geo $ip_wl {
#Use to define the address in the form of an address segment
ranges;
default 0;
127.0.0.1-127.0.0.1 1;
}
#Define UA whitelist, ignore common web crawlers
whitelist_ua $ua_wl {
#Ignore case
caseless;
"Baiduspider" ".*\.baidu\.com";
"Baidu-YunGuanCe-SLABot" ".*\.baidu\.com";
"Googlebot" ".*\.google\.com";
"360Spider" ".*\.360\.cn";
"360JK" ".*\.360\.cn";
"Sosospider" ".*\.soso\.com";
"Sogou web spider" ".*\.sogou\.com";
"bingbot" ".*\.bing\.com";
}
server{
#Original server configuration
#Define a virtual server name for SEnginx access statistics display
virtual_server_name www.mudoom.com;
#Open the ip recognition space brand on the current server and perform sensitive URL access behavior recognition.
ip_behavior zone=brand type=sensitive_url;
#Open Robot Challenge
location @process {#Use the global IP whitelist and User-Agent whitelist as the robot challenge whitelist
robot_mitigation_global_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
#Open Robot Mitigation module (robot mitigation)
robot_mitigation on;
#Robot Challenge Mode (JS)
robot_mitigation_mode js;
#Blacklist failure limit
robot_mitigation_blacklist 50;
#Valid time after successful challenge (seconds)
robot_mitigation_timeout 600;
#Close challenge ajax type request
robot_mitigation_challenge_ajax off;
#php-fpm and other original configuration
fastcgi_pass 127.0.0.1:9000;
...
}
#Request to view the current blacklist. For security reasons, it must be limited to internal access
location /blacklist_show {
allow 127.0.0.1;
deny all;
ip_blacklist_show;
}
#Request to clear the blacklist list. For security reasons, it must be limited to internal access
location /blacklist_flush {
allow 127.0.0.1;
deny all;
ip_blacklist_flush;
} #The request can display SEnginx access statistics, which must be restricted to internal access for security
location /stats {
allow 127.0.0.1;
deny all;
statistics;
} #Location for blocking
location /RequestDenied {
return 403;
}
#Use the location configuration controlled by the security module
location /mudoom {
#Sensitive resource identification
ip_behavior_sensitive;
#100 original tokens, if exceeding 100 tokens, a robot challenge will be triggered
limit_req zone=mudoom burst=100 forbid_action=@process condition=$cond;
#When the proportion of non-sensitive resources requested is less than 30%, the robot challenge is triggered
ifall ($insensitive_percent >= 0) ($insensitive_percent < 30) {
set $cond 1;
}
#Use global IP whitelist and User-Agent whitelist as cookie tamper-proof whitelist
cookie_poisoning_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
#cookieAnti-tampering
cookie_poisoning off;
#Specify the action to be performed when the cookie is found to be tampered with. Block block, pass release, remove delete the tampered cookie value
cookie_poisoning_action block;
#Add to the blacklist after blocking more than 5 times
cookie_poisoning_action blacklist,5; #When an attack is discovered, whether to write log to the error log
cookie_poisoning_log on;
#Set the global IP whitelist and User-Agent whitelist as Naxsi whitelist
naxsi_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
#Start learning module
LearningMode;
#Safety rule activation
#SecRulesEnabled;
#Security Rule Avoidance
#SecRulesDisabled;
#Safety rules trigger behavior
DeniedUrl "/RequestDenied"; #Security rules
CheckRule "$XSS >= 4" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$SQL >= 8" BLOCK;
#php-fpm and other original configuration
fastcgi_pass 127.0.0.1:9000;
...
}
}
}
