Answer the question
In order to leave comments, you need to log in
What is the best way to secure a web server - Apache or Nginx?
Let's say there is a java webapp on the Tomcat server.
I want to set up DoS protection, a filter for valid http requests, limits on connections from one IP, and other methods of protection.
What would you recommend in this case - Apache or Nginx?
Answer the question
In order to leave comments, you need to log in
Using Apache as a protection against high loads is like allocating money to fight corruption.
Install Apache and Jinx Front.
run nGinx under:
http {
# even regular slow clients are usually expensive
reset_timedout_connection on;
client_header_timeout 15;
client_body_timeout 15;
send_timeout 5;
keepalive_timeout 30 15;
# introduce two restricted zones.
# On open connections and on request rate
limit_req_zone $binary_remote_addr zone=qglob:16m rate=3r/s;
limit_zone cglob $binary_remote_addr 16m;
server {
listen 80;
server_name www.myhost.ru;
proxy_set_header Host $host;
# needed for proxy_store to work
proxy_buffering on;
# limit the maximum number of connections from one ip
# to 4 clients from one ip via rfc2616
limit_conn cglob 32;
# Quickly catch "GET / ".
# Add a convenient file name.
location = / {
rewrite ^/$ /index.html last;
}
#Post-rate to serve static index.html or load from backend.
location = /index.html {
internal;
limit_req zone=qglob burst=9 nodelay;
open_file_cache_errors off;
root /tmp/nginx/cache/;
error_page 404 = /cached$uri;
}
location /cached/ {
internal;
alias /tmp/nginx/cache/;
proxy_pass phpfarm;
proxy_store on;
proxy_store_access user:rw group:rw all:r;
proxy_temp_path /tmp/nginx/tmp/;
}
#Brutally clamped on two requests per second search.
location = /advanced_search_result.php {
limit_req zone=qulag burst=2;
proxy_pass phpfarm;
}
# And everything else.
location / {
proxy_pass phpfarm;
}
}
}
You can also smoke in the direction of sysctl and pf (ipfw)
Other protection methods include hiding the version of nginx and PHP.
server_tokens off;
in nginx.conf
expose_php = Off
in php.ini
If I understand correctly, the author means the Apache WAF - mod_security. Protecting them from DDoS will not work, this is a slightly different thing, but you can easily make a filter for valid http requests. Nginx will save you from light pioneer DDoS, simply because of its architecture, but it is not able to carry out any checks for the validity or harmfulness of requests .
nginx + lua-nginx-module, a month ago there was an article on this topic on Habré: habrahabr.ru/blogs/nginx/130861/
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question