How to mitigate a DDoS attack on your website with Nginx

Discover how to use the Nginx web server to block certain DDoS attacks through a secure configuration. This approach will help your server defend against frequent DDoS attacks. By improving Nginx’s configuration, you can protect your server from various types of attacks.

OuiHeberg offers free Anti-DDoS protection against certain targeted attacks. By using our VPS or dedicated servers, you benefit from Anti-DDoS protection at no additional cost. However, mitigation capacities, methods used, and filtering may vary depending on the location you select.

Prerequisites

• Nginx: Ensure that Nginx is installed on your server.
• Basic Knowledge: You should be comfortable with basic Linux commands and know how to access Nginx’s configuration files.
• VPS or Dedicated Server: A virtual private server or dedicated server, or a virtual machine on your local host.
• DDoS Protection: Your hosting provider must provide some form of DDoS protection to mitigate more sophisticated attacks.
• Linux: Any distribution compatible with Nginx.

Limitations

This guide is not a complete solution to defend against all DDoS attacks. It will likely help mitigate common attacks and keep your server operational. However, for certain complex DDoS attacks, it is necessary that your hosting provider provides adequate DDoS protection to block and prevent them. This configuration cannot protect against all forms of attacks on your server; it is designed to prevent and block certain types of attacks, but it won’t be effective without your provider's DDoS protection.

Disclaimer

OuiHeberg advises against applying this configuration directly on your production server without prior testing. We disclaim any responsibility for potential issues this may cause. Make sure to follow best practices in server security and perform backups before any modifications in case a restoration is necessary. Please consult Nginx’s documentation on DDoS protection to fully understand its functionality.

Strengthening Nginx to Prevent DDoS Attacks

To protect Nginx from DDoS attacks and enhance its resistance to common attacks, various mitigation and prevention strategies must be implemented. Here’s how to configure Nginx to improve its security:

1. Update Nginx

Ensure that you are using the latest stable version of Nginx to benefit from the latest security fixes and improvements.

2. Limit Connections

Use the limit_conn module to restrict the number of connections from a single IP address. This helps prevent DDoS attacks that attempt to overwhelm your server with numerous simultaneous connections.

http {
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=1r/s;

    server {
        limit_req zone=req_limit_per_ip burst=5;
        # Other server configurations...
    }
}

3. Managing IP Whitelists and Blacklists

Use the allow and deny directives to permit trusted IP addresses and block malicious ones.

http {
    # Allow trusted IP addresses
    allow 192.168.1.0/24;
    deny all;
    # Other server configurations...
}

4. Install a Web Application Firewall (WAF)

Integrate third-party modules like ModSecurity with Nginx to detect and block malicious HTTP traffic.

5. Enable HTTPS

Use HTTPS to encrypt communications between clients and the server, preventing data interception and man-in-the-middle attacks.

6. Disable Unused Modules

Disable unnecessary Nginx modules to reduce the attack surface and optimize performance.

./configure --without-http_autoindex_module --without-http_ssi_module

7. Optimize Nginx Configuration

Adjust Nginx’s configuration settings, such as worker processes, worker connections, and timeouts, according to your server’s hardware resources and anticipated traffic volume.

8. Monitoring and Logging

Regularly review server logs to detect any suspicious activity and set up alert systems to notify administrators in case of potential attacks.

9. Use DDoS Protection Services

Consider using specialized DDoS protection services or appliances in front of Nginx, such as Cloudflare, AWS Shield, or Akamai.

10. Perform Regular Backups

Ensure that you regularly back up critical data to minimize the impact in case of a successful attack.

Remember that security is an ongoing process. It is essential to stay informed about the latest threats and best security practices to effectively protect your server from potential attacks.

DDoS Protection Configuration for Nginx

Here is a configuration you can add to your nginx.conf file to enhance security:

# Define a zone to track connections from each IP

http {
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
    # Define a zone to track requests from each IP
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;

    server {
        listen 80;
        server_name example.com;

        # Limit request rate
        limit_req zone=req_limit_per_ip burst=20;

        # Limit the maximum number of connections from a single IP
        limit_conn conn_limit_per_ip 20;

        # Deny requests with large request bodies to mitigate certain types of attacks
        client_body_buffer_size 1k;
        client_header_buffer_size 1k;
        client_max_body_size 1k;
        large_client_header_buffers 2 1k;

        # Enable Gzip compression to save bandwidth
        gzip on;
        gzip_comp_level 5;
        gzip_min_length 256;
        gzip_proxied any;
        gzip_vary on;

        # Add security headers to strengthen protection
        add_header X-Content-Type-Options "nosniff";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header Referrer-Policy "same-origin";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        # Block common vulnerable User-Agents
        if ($http_user_agent ~* (wget|curl) ) {
            return 403;
        }

        # Block access to hidden files
        location ~ /\. {
            deny all;
        }

        # Block access to certain file types
        location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php_ {
            deny all;
            return 403;
        }

        # Whitelist your IP for admin access
        location /admin {
            allow your_admin_ip;
            deny all;
        }

        # Deny access to certain directories
        location ~ /(system|vendor) {
            deny all;
            return 403;
        }

        # Proxy to forward requests to your application server
        location / {
            proxy_pass http://your_backend_server;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}
 

This configuration accomplishes the following:

• Rate Limiting: Limits each IP address to 10 requests per second with a burst allowance of 20 requests.
• Connection Limiting: Limits each IP address to a maximum of 20 simultaneous connections.
• Request Body Size Limiting: Restricts request body sizes to mitigate attacks that send large amounts of data.
• Gzip Compression: Enables Gzip compression to save bandwidth.
• Security Headers: Adds headers to strengthen security.
• Blocking Vulnerable User-Agents: Blocks requests from User-Agents commonly used for malicious activities.
• Blocking Hidden Files: Denies access to hidden files and directories.
• Admin Access Whitelisting: Allows only your IP address to access the admin area.
• Denying Access to Certain Directories: Blocks access to sensitive directories such as system and vendor.
• Proxy Pass: Forwards requests to your application server.

Be sure to adapt this configuration to your specific needs, including domain names, backend server addresses, and IP addresses for admin access. Additionally, regularly monitor your server logs and adjust configurations as threats evolve.

How to Integrate This Configuration into Nginx

Here are the steps to add this configuration:

1. Locate the nginx.conf file: Depending on your installation, the nginx.conf file may be located in various places such as /etc/nginx/nginx.conf, /usr/local/nginx/conf/nginx.conf, or /etc/nginx/sites-available/default.

2. Open the nginx.conf file: Use a text editor or a command-line editor like nano, vim, or emacs to open the file.

3. Add the configuration in the http block: Inside the http block, which defines the HTTP server settings, insert the provided configuration. This block is typically found near the beginning of the nginx.conf file.

4. Insert the provided configuration: Paste the entire configuration provided above inside the http block. Make sure to replace default values like example.com, your_admin_ip, and your_backend_server with your specific details.

5. Save and close the file: After adding the configuration, save the changes and close the editor.

6. Check Nginx’s configuration: Before restarting Nginx, it is recommended to test the configuration for any syntax errors by running:

   nginx -t

   If everything is correct, a message will indicate that the configuration file test is successful.

7. Restart Nginx: To apply the changes, restart Nginx with the command:

   sudo service nginx restart

   If you are not using systemd, you may need to use a different command to restart Nginx.

By following these steps, you will integrate the provided configuration into your Nginx server, thereby enhancing its security with DDoS protection and other security measures. This guide will help you prevent DDoS attacks on Nginx by configuring it properly.

---

OuiHeberg is committed to offering you the best solutions to secure your online services. Feel free to contact us for any further questions or assistance.