说明:之前发过一篇防DDOS
的文章,参考:Linux VPS 使用DDOS deflate来抵御DDOS攻击,今天又看到一个使用vDDoS Proxy
防御DDOS CC
攻击的教程,就说下。
Vddos proxy是什么
引用原文“
vDDoS Protection is Nginx bundled with module HTTP/2; GeoIP; Limit Req, Testcookie; reCaptcha processor…
Working like CloudFlare, but vDDoS is software help you build your own System Firewall.
”
Github地址:https://github.com/duy13/vDDoS-Protection
作者主页:http://vddos.voduy.com/
原作者还提供了更强大的功能以及更详细的说明,有能力的MJJ
可以前去研究。
安装
vDDos proxy
必须安装在WEB
程序以前例如(cPanel
, VestaCP
, LAMP
, LEMP
…)。
vDDos proxy
暂只支持Centos 5
/6
/7
64
位和CloudLinux Server
5
/6
/7
64
位。
接下来以Centos 7
为例。
运行以下命令:
yum -y install epel-release
yum -y update
yum -y install curl wget gc gcc gcc-c++ pcre-devel zlib-devel make openssl-devel libxml2-devel libxslt-devel
yum -y install gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel
yum -y install automake autoconf apr-util-devel GeoIP-devel libatomic_ops-devel
目前最新版本为1.13.1
curl -L https://github.com/duy13/vDDoS-Protection/raw/master/vddos-1.13.1-centos7 -o /usr/bin/vddos
#curl -L https://github.com/duy13/vDDoS-Protection/raw/master/vddos-1.13.1-centos6 -o /usr/bin/vddos #Centos6.X
#curl -L https://github.com/duy13/vDDoS-Protection/raw/master/vddos-1.13.1-centos5 -o /usr/bin/vddos #Centos5.X
chmod 700 /usr/bin/vddos
/usr/bin/vddos help
/usr/bin/vddos setup
至此,安装完毕
使用
Welcome to vDDoS, a HTTP(S) DDoS Protection Reverse Proxy. Thank you for using!
Command Line Usage:
vddos setup :installing vDDoS service for the first time into /vddos
vddos start :start vDDoS service
vddos stop :stop vDDoS service
vddos restart :restart vDDoS service
vddos autostart :auto-start vDDoS services on boot
vddos attack :create a DDoS attacks to HTTP target (in 30 min)
vddos stopattack :stop "vddos attack" command
vddos help :display this help
Please sure download vDDoS source from: vddos.voduy.com
保护某一个网站
# vi /vddos/conf.d/website.conf
# Website Listen Backend Cache Security SSL-Prikey SSL-CRTkey
default http://0.0.0.0:80 http://127.0.0.1:8080 no 200 no no
your-domain.com http://0.0.0.0:80 http://127.0.0.1:8080 no 200 no no
default https://0.0.0.0:443 https://127.0.0.1:8443 no 307 /ssl/key.pri /ssl/crt.crt
your-domain.com https://0.0.0.0:443 https://127.0.0.1:8443 no 307 /ssl/key.pri /ssl/crt.crt
参数解释
your-domain.com
为你想要保护的域名listen
为本地监听IP
端口backend
为后端IP
端口(可以当作为使用CDN
或者反代源网站)cache
是否进行缓存。
security
是保护强度 可选no
, 307
, 200
, click
, 5s
, high
, captcha
。
强度阶梯:no < 307 < 200 < click < 5s < high < captcha
。
5s
类似于Cloudflare
的五秒盾。
captcha
为启用谷歌人机验证码后面会详细说。
SSL-Prikey
为SSL
密匙。
SSL-CRTket
为SSL
证书。
5S盾
5s
盾的默认文件储存于
/vddos/html/5s.html
如有需要,可自行DIY
。
captcha谷歌验证码
因为国内无法使用谷歌验证码,所以本虾也没有去测试。
下面贴出LET
上给出的使用方法,请自行测试。
# vi /vddos/conf.d/recaptcha-sitekey.conf
# Website reCaptcha-sitekey (View KEY in https://www.google.com/recaptcha/admin#list)
your-domain.com 6Lcr6QkUAAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
# vi /vddos/conf.d/recaptcha-secretkey.conf
DEBUG=False
RE_SECRETS = { 'your-domain.com': '6Lcr6QkUAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'your-domain.org': '6LcKngoUAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxx' }
所需的KEY
需要在https://www.google.com/recaptcha/admin#list
申请,似乎是一个域名对应了一个key
。
禁止某个国家的IP访问
修改文件/vddos/conf.d/blacklist-countrycode.conf
#vi /vddos/conf.d/blacklist-countrycode.conf
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
US yes;
CN no;#这个。。自带禁止中国是啥意思 mjj
}
deny 1.1.1.1;
添加白名单
修改文件/vddos/conf.d/whitelist-botsearch.conf
# vi /vddos/conf.d/whitelist-botsearch.conf
#Alexa Bot IP Addresses
204.236.235.245; 75.101.186.145;
...
添加白名单之后,启用的如5s
盾 验证码将不会对白名单IP
访客生效。
设置IP直接访问源站
修改文件/vddos/conf.d/cdn-ip.conf
# vi /vddos/conf.d/cdn-ip.conf
# Cloudflare
set_real_ip_from 103.21.244.0/22;
...