Hello!
В сообщении от Saturday 07 February 2009 18:20:33 Alex написал(а):
> could you provide more details, and may be some links?
> We are currently using nginx and I am quite interested, especially about
> DDOS.
nginx write a lot of log messages for queries when back-end produce errors. And
nginx does not
filter incorrect queries and send all queries to back-end servers. So back-end
servers may be DDOS
attacked. Also nginx does write temp files before redirecting queries to
backend without checking
queries.
But I don't know has ngix potential to check http/https requests or it's
impossible.
pound on my servers drop incorrect requests by default configuration and
backend AOL servers are
protected successfully. Since pound have no hard disk access, DDOS attacks
can't swap-on server.
Also I'm using cookie-based cluster configuration with single entry-point:
Service
HeadDeny "X-SSL-.*"
HeadRequire "Host:.*hostname.*"
HeadRequire "Cookie: .*session=branch%3Dstable&unit%3D1"
BackEnd
TimeOut 300
Address serverA
Port 8001
End
End
Service
HeadDeny "X-SSL-.*"
HeadRequire "Host:.*hostname.*"
HeadRequire "Cookie: .*session=branch%3Dstable&unit%3D2"
BackEnd
TimeOut 300
Address serverB
Port 8001
End
End
All queries without recognized cookies will be dropped. First configuration
section describe service
with parameters "branch=stable, unit=1" and second - "branch=stable, unit=2".
Best regards, Alexey.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
