, , ,

Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. We will compile nginx as reverse HTTP proxy and add some module to fight against dDOS attack.

Add stable repository for nginx in Ubuntu

$ sudo su
# echo “deb http://ppa.launchpad.net/nginx/stable/ubuntu lucid main” » /etc/apt/sources.list.d/nginx.list
# apt-key adv —keyserver keyserver.ubuntu.com —recv-keys C300EE8C
# apt-get install nginx
# apt-get install nginx-extras

Please check whether nginx and nginx-extras has been installed. Nginx installation location will be /etc/nginx. nginx will run on port 80. So if you have apache running on port 80, change it to 8080 or something else.

Nginx Shell Script To Block Spamhaus Lasso Drop Spam IP Address

# /etc/nginx# cd /etc/nginx/
# wget http://bash.cyberciti.biz/dl/500.sh.zip
# unzip 500.sh.zip
# mv 500.sh nginx.drop.lasso
# chmod +x nginx.drop.lasso
# rm 500.sh.zip

Edit nginx.drop.lasso as per you nginx installation location.

# ./nginx.drop.lasso

[source: http://bash.cyberciti.biz/web-server/nginx-shell-script-to-block-spamhaus-lasso-drop-spam-ip-address/]

Install Roboo to Ubuntu for DDOS protection

# mkdir /opt/local/share/nginx
# wget https://github.com/yuri-gushin/Roboo/blob/master/Roboo.pm
# vi /etc/nginx.conf [attached file]

Install bellow perl module:

# cpan
cpan[1]> install CPAN
cpan[2]> reload cpan
cpan[3]> install Net::IP::Match::Regexp
cpan[4]> install Compress::Zlib
cpan[5]> install Digest::SHA
cpan[6]> install Crypt::Random

Start nginx service

# /etc/init.d/nginx start

[Source: https://github.com/yuri-gushin/Roboo]
[Roboo howto: http://marguspala.com/install-roboo-to-ubuntu-for-ddos-protection/]

On next tutorial I will test how this nginx http proxy server whether it can handle:

– HTTP Denial of Service tools – e.g. Low Orbit Ion Cannon
– Vulnerability Scanning – e.g. Acunetix Web Vulnerability Scanner, Metasploit Pro, Nessus
– Web exploits
– Spiders, Crawlers and other robotic evil

user www-data;
worker_processes 2;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
# multi_accept on;

http {
perl_modules /opt/local/share/nginx;
perl_require Roboo.pm;

include /etc/nginx/mime.types;
include drop.lasso.conf;
default_type application/octet-stream;
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” $status $bytes_sent “$http_referer” “$http_user_agent” “$gzip_ratio”’;
access_log /var/log/nginx/access.log;
server_names_hash_bucket_size 64;
#server_names_hash_max_size 1024;
#types_hash_bucket_size 32;
types_hash_max_size 2048;

client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 16k;
request_pool_size 4k;
sendfile on;

gzip off;
gzip_min_length 0;
gzip_buffers 4 8k;
gzip_types text/plain application/x-shockwave-flash text/css application/x-javascript text/xml application/xml application/xml+rss text/javascr
gzip_proxied any;
gzip_http_version 1.0;
output_buffers 1 32k;
postpone_output 1460;

tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
server_tokens off;
proxy_cache_path /opt/local/share/nginx/cache levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000m;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

## Server www.fakrul.com [this site is not using Roboo features]
server {
listen 80;
server_name www.fakrul.com;
add_header Cache-Control public;
access_log /var/log/nginx/www.fakrul.com.access.log;
error_log /var/log/nginx/www.fakrul.com.error.log error;
expires max;
location / {
proxy_pass; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_cache cache; proxy_cache_valid 5m;

## Server blog.fakrul.com [this site using Roboo features]
server {
listen 80;
server_name blog.fakrul.com;
add_header Cache-Control public;
access_log /var/log/nginx/blog.fakrul.com.access.log;
error_log /var/log/nginx/blog.fakrul.com.error.log error;
expires max;
location / {
perl Roboo::handler;
set $Roboo_challenge_modes ”SWF,gzip”;

# Defaults
set $Roboo_cookie_name “Anti-Robot”; # Cookie name used for challenge/response
set $Roboo_validity_window 600; # Authentication validity time window
set $Roboo_whitelist “IP(),UA(”),URI(”)”; # Whitelist – IP addresses (CIDR), user-agents or URIs (PCRE)
set $Roboo_charset “UTF-8”; # Charset used during challenge (for proper POST resubmissions)
set $Roboo_challenge_hash_input $remote_addr;# Advanced – challenge hash basis, can add $server_name$server_port$http_host$http_user_agent
error_page 555 = @proxy;
expires epoch;
add_header Last-Modified “”;
if ($Roboo_challenge_modes ~ gzip) {
gzip on;
access_log /var/log/nginx/blog.fakrul.com.challenged.log;
location @proxy {
proxy_pass http://ghs.google.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_cache cache;
proxy_cache_valid 5m;
gzip on;
access_log /var/log/nginx/blog.fakrul.com.verified.log;
} ## End of blog.fakrul.com