http-error-abuse #
Imagine someone keeps poking your website with requests that don't exist — hammering random URLs (lots of 404s), banging on stuff they're not allowed to see (lots of 403s), or spamming requests until your server starts coughing up 500 errors. That's abuse, and it wastes your server's time.
Source: our fork on GitHub
Directives
error_abuse #
syntax: error_abuse 1+ args; · context: http, server, location
Requires persist. | ### error_abuse zone=name [status=code] [dry_run=on|off] [log_level=level] — context: http, server, location Switches a declared zone on for that location.
error_abuse_redis #
syntax: error_abuse_redis 1+ args; · context: http
Add error_abuse_redis and set redis=on on a zone, and all servers sharing the same prefix and zone settings count together and share bans.
error_abuse_zone #
syntax: error_abuse_zone 1+ args; · context: http
The shortest config that actually works is just: ## Synopsis (directives + defaults) ### error_abuse_zone zone=name:size [...] — context: http Declares a zone.
Example
load_module modules/ngx_http_error_abuse_module.so;
http {
# Optional: share bans across servers (see the Redis section).
error_abuse_redis host=127.0.0.1 port=6379 prefix=ea_ timeout=100ms;
# Define a zone: a shared-memory area that holds the counters.
error_abuse_zone zone=client_errors:10m
key=$binary_remote_addr
statuses=403,404,500-599
interval=300s
threshold=100
block=60m
inactive=1h
persist=/var/lib/nginx/error-abuse-client_errors.state
persist_interval=5s;
# Handy log line so you can see what the module decided.
log_format main '$remote_addr $request $status '
'error_abuse=$error_abuse_status '
'count=$error_abuse_count';
server {
location / {
error_abuse zone=client_errors; # turn it on here
}
}
}