Nginx Magics

This is a post for Nginx Magics and for you to quick get the configurations.
I put the links here to refer and put my own thoughts and comments.

For more nginx settigns, pls refer my another markdown list:
https://github.com/morganwu277/code_snippets/blob/master/nginx.md

1. Security

1.1. Rate Limiting

Rate Limiting for hackers or crawlers but not search engines.

Refs:

• English:
  • https://www.nginx.com/blog/rate-limiting-nginx/
  • http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
  • https://lincolnloop.com/blog/rate-limiting-nginx/
• Chinese:
  • http://www.cnblogs.com/chenpingzhao/p/4971308.html

I don’t want to explain more on the rate limiting of Nginx, since it’s already there.

However, only simple rate limiting will comes with an issue: multiple users from one common gateway could be blocked, for example, they are in University network and shared a common external gateway IP address.

From server side’s angle, it can’t just use the IP address to do the rate limiting. Since there could be multiple none hackers under this same IP address.

All in all, only using IP address to do rate limiting is trivial and not safe. We should also combine with User-Agent or other fields and adapt this dynamically.
Also, the hackers/crawlers can still use VPN to avoid the so-called IP-based rate limiting.

We should have a Machine Learning algorithm that can dynamically output the rate limiting model and apply it to online rate limiting. Especially using tree-based model.

1.2. IP Address Blocking Behind Proxies

Use next inside your location / section:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

   real_ip_header  X-Forwarded-For; 
   real_ip_recursive on;
   deny 70.103.56.2;
   deny 200.159.140.37;
   deny 140.207.116.178;
   deny 221.4.34.18;
   deny 74.79.253.186;
   deny 204.11.108.89;
   deny 204.11.108.94;
   deny 204.236.220.196;
   deny 12.229.60.66;
   deny 73.181.227.5;

For more details: http://nginx.org/en/docs/http/ngx_http_realip_module.html

2. Proxy

2.1. Internet Proxy

To avoid network restrictions, such as GFW.

REFs

• Nginx Image comes from:
  https://cdn-1.wp.nginx.com/wp-content/uploads/2016/03/Python-NGINX-architecture-1024x596.png