icondev

> hyperconnect the world _

ICON is a scalable smart contract enabled blockchain platform with a long-term goal of interoperability between enterprise and public blockchains. Our goal is to Hyperconnect the World, and by combining groundbreaking technology, a strong community, and relentless growth strategies we believe this goal is reachable.

Get Started     Subscribe to our mailing list

How to use nginx to prevent DDoS attacks

This document is a guideline about how to prevent DDoS attacks using nginx.

Intended Audience

We recommend all P-Rep candidates to go through this guideline.

Pre-requisites

We assume that you have previous knowledge and experience in:

  • IT infrastructure management
  • Linux or UNIX system administration
  • Network administration
  • Linux server and docker service troubleshooting
  • Docker container

Introduction to Nginx

Nginx is a web server that optimizes security and speed that consists of one master process and several worker processes.
Nginx functions in an event-driven way and processes events when a new event occurs asynchronously.
It functions efficiently with a small number of threads, thus uses less CPU and requires less memory.
Using nginx in reverse proxy mode prevents DDoS attacks by throttle setting and enables whitelist based networks.

Reverse proxy advantage

The reverse proxy receives data from the internal server and sends it to the client. This prevents direct access to the internal server and acts as a relay for indirect access. The reverse proxy has many security advantages.

  1. Security: External users cannot recognize the existence of servers on the actual internal network. All transmissions happen through the reverse proxy server which maps the request to the internal server information and processes accordingly. This helps to protect internal server information from the external environment.
  2. ACL: Defines whether to allow or deny access from external users.
  3. Log/Audit: Check the information of external users who try to access the network.

How to use

Prep + Nginx composition

Nginx reverse package for prep node
  • dockerized nginx will be provided - please refer to the link below. nginx_docker
  • Configure P-Rep node software based on nginx so that each node can communicate through nginx.
  • Set nginx allow ip to whitelist accessible IPs from P-Rep nodes.
  • Monitor the P-Rep node IP on a regular basis and renew the IP list if there is a change in allow ip.
  • Install docker in bridge mode.
IP whitelist renewal
  • One can either block all IPs or allow only specific IPs (or bands)
  • Granting access to whitelisted P-Rep nodes, external attacks can be prevented.
  • Add Prep IP List to the whitelist
    • An internal script calls the Prep IP List(Call API) on a regular basis, creates the whitelist, and reloads nginx.
  • How to add to the whitelist
    • Create allow_ip.conf that includes the whitelist
      #./user_conf/allow_ip.conf
      allow 10.10.10.10;
      allow 20.20.20.20;
      allow 30.30.30.30;
      
    • Add environment variable to docker-compose.yml environment variable
      version: '3'
      services:
      nginx:
      images: looploy/nginx:1.17.1
      ...
      volumes:
        - ./user_conf/allow_ip.conf:/etc/nginx/user_conf
      ##################################################################
      ## Mount allow_ip.conf to docker volume
      ## File name can be random since all files in /etc/nginx/user_conf are accessible within nginx docker
      
    • There is no service suspension in case of nginx reload.
Nginx Throttle
  • Throttle setting
    • Use the ‘limit_req’ module to limit excessive requests from an IP or a specific URI
    • e.g. Process 100 requests per second of an IP
    • e.g. Process exactly 100 requests per second of an IP
# throttle setting example
limit_req_zone $binary_remote_addr zone=by_ip:10m rate=200r/s;
limit_req_zone $request_uri zone=by_uri:10m rate=200r/s;

# limit_req_zone : Declare a zone to limit the request
# binary_remote_addr : Client IP based limit
# request_uri : URI based limit
# share memory assign : 10M
# rate : If there are more than 200 requests per second, further requests will be limited
Dockerizing
#nginx docker-compose.yml
version: '3'
services:
   prep:
      image: 'iconloop/prep-node:{tag}'
      container_name: prep
      cap_add:
         - SYS_TIME
      environment:
         ...

   nginx_throttle:
      image: 'looploy/nginx:1.17.1'
      container_name: nginx_1.17
      environment:
         NGINX_LOG_OUTPUT: 'file'
         NGINX_LOG_TYPE: 'main'
         NGINX_USER: 'root'
         VIEW_CONFIG: "yes"
         USE_NGINX_THROTTLE: "yes"
         NGINX_THROTTLE_BY_URI: "yes"
         NGINX_RATE_LIMIT: "200r/s"
         NGINX_BURST: "5"
         NGINX_SET_NODELAY: "no"
         GRPC_PROXY_MODE: "yes"
         USE_VTS_STATUS: "yes"
         TZ: "GMT-9"
         SET_REAL_IP_FROM: "0.0.0.0/0"
         PREP_MODE: "yes"
         NODE_CONTAINER_NAME: "prep"
         PREP_NGINX_ALLOWIP: "yes"
         NGINX_ALLOW_IP: "0.0.0.0/0"
         NGINX_LOG_FORMAT: '$$realip_remote_addr $$remote_addr  $$remote_user [$$time_local] $$request $$status $$body_bytes_sent $$http_referer "$$http_user_agent" $$http_x_forwarded_for $$request_body'
      volumes:
         - ./data/loopchain/nginx:/var/log/nginx
         - ./user_conf:/etc/nginx/user_conf
      ports:
         - '7100:7100'
         - '9000:9000'
Environment variable
Environment variable Description Default value Allowed value
TRACKER_IPLIST Required for tracker to monitor prep 15.164.151.101 15.164.183.120 52.79.145.149 54.180.178.129
PREP_NGINX_ALLOWIP no : Set allow come to anyone. yes: Set nginx allow ip to whitelist accessible IPs from P no
PREP_MODE PREP_MODE mode whitelist based nginx usage no (yes/no)
NODE_CONTAINER_NAME container name in order to connect to prep prep
PREP_LISTEN_PORT Choose a prep 9000
PREP_PROXY_PASS_ENDPOINT prep's container name for RPC API (if you selected PREP\_MODE, Required input) http
PREP_NODE_LIST_API In order to get prep's white ip list, ENDPOINT API URL (Required input) ${PREP_PROXY_PASS_ENDPOINT/api/v3
USE_DOCKERIZE go template usage ( yes/no ) yes
VIEW_CONFIG Config print at launch ( yes/no ) no
UPSTREAM upstream setting localhost
DOMAIN domain setting localhost
LOCATION ADD_LOCATION additional location setting
WEBROOT webroot setting /var/www/public
NGINX_EXTRACONF additional conf settings
USE_DEFAULT_SERVER nginx's default conf setting no
USE_DEFAULT_SERVER_CONF nginx's default server conf setting
NGINX_USER www wwwdata
NGINX_SET_NODELAY Delay option if rate limit is exceeded no ( yes/no )
WEB_SOCKET_URIS URI for using nginx as a websocket proxy /api/ws/ /api/node/
NUMBER_PROC worker processes count $(nproc) max number of processes
WORKER_CONNECTIONS setting WORKER_CONNECTIONS 4096
GRPC_LISTEN_PORT Used by gRPC Listen port 7100
LISTEN_PORT ${GRPC_LISTEN_PORT} ${GRPC_LISTEN_PORT
SENDFILE on on
SERVER_TOKENS off off
KEEPALIVE_TIMEOUT 65 65
KEEPALIVE_REQUESTS 15 15
TCP_NODELAY on on
TCP_NOPUSH on on
CLIENT_BODY_BUFFER_SIZE 3m 3m
CLIENT_HEADER_BUFFER_SIZE 16k 16k
CLIENT_MAX_BODY_SIZE 100m 100m
FASTCGI_BUFFER_SIZE 256K 256K
FASTCGI_BUFFERS 8192 4k 8192 4k
FASTCGI_READ_TIMEOUT 60 60
FASTCGI_SEND_TIMEOUT 60 60
TYPES_HASH_MAX_SIZE 2048 2048
NGINX_LOG_TYPE output log format type default (json/default)
NGINX_LOG_FORMAT '$realip_remote_addr $remote_addr
NGINX_LOG_OUTPUT output log type file stdout or file or off
USE_VTS_STATUS vts monitoring usage yes (yes/no)
USE_NGINX_STATUS nginx status monitoring usage yes (yes/no)
NGINX_STATUS_URI nginx_status URI nginx_status
NGINX_STATUS_URI_ALLOWIP nginx_status URI is only allow requests from this IP address 127.0.0.1
USE_PHP_STATUS no no
PHP_STATUS_URI php_status php_status
PHP_STATUS_URI_ALLOWIP 127.0.0.1 127.0.0.1
PRIORTY_RULE allow allow
NGINX_ALLOW_IP Administrator IP addr for detail monitoring
NGINX_DENY_IP
NGINX_LOG_OFF_URI
NGINX_LOG_OFF_STATUS
DEFAULT_EXT_LOCATION extension setting ~/.jsp ~/.php php
PROXY_MODE gRPC proxy mode usage no (yes/no)
GRPC_PROXY_MODE gRPC proxy mode usage no (yes/no)
USE_NGINX_THROTTLE rate limit usage no (yes/no)
NGINX_THROTTLE_BY_URI URI based rate limit usage (yes/no) no
NGINX_THROTTLE_BY_IP IP based rate limit usage (yes/no) no
PROXY_PASS_ENDPOINT proxy endporint of gRPC grpc
NGINX_ZONE_MEMORY Sets the shared memory zone for rate limit 10m
NGINX_RATE_LIMIT rate limiting value 100r/s
NGINX_BURST Excessive requests are delayed until their number exceeds the maximum burst size, maximum queue value ( If the value is 10, apply from 11) 10
SET_REAL_IP_FROM SET_REAL_IP_FROM 0.0.0.0/0
NGINX_PROXY_TIMEOUT 90 90

How to use nginx to prevent DDoS attacks


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.