Hello! В сообщении от Saturday 07 February 2009 18:20:33 Alex написал(а): > could you provide more details, and may be some links? > We are currently using nginx and I am quite interested, especially about > DDOS.
nginx write a lot of log messages for queries when back-end produce errors. And nginx does not filter incorrect queries and send all queries to back-end servers. So back-end servers may be DDOS attacked. Also nginx does write temp files before redirecting queries to backend without checking queries. But I don't know has ngix potential to check http/https requests or it's impossible. pound on my servers drop incorrect requests by default configuration and backend AOL servers are protected successfully. Since pound have no hard disk access, DDOS attacks can't swap-on server. Also I'm using cookie-based cluster configuration with single entry-point: Service HeadDeny "X-SSL-.*" HeadRequire "Host:.*hostname.*" HeadRequire "Cookie: .*session=branch%3Dstable&unit%3D1" BackEnd TimeOut 300 Address serverA Port 8001 End End Service HeadDeny "X-SSL-.*" HeadRequire "Host:.*hostname.*" HeadRequire "Cookie: .*session=branch%3Dstable&unit%3D2" BackEnd TimeOut 300 Address serverB Port 8001 End End All queries without recognized cookies will be dropped. First configuration section describe service with parameters "branch=stable, unit=1" and second - "branch=stable, unit=2". Best regards, Alexey. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <lists...@listserv.aol.com> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.