小白站长cdn被刷量！服务器被四层ddos！cdn配合nginx精细化限速解决！

配置说明 
...

http {
# 日志记录tcp三次握手的$remote_addr
# 记录x-real-ip
# 记录x-forward-ip 用户的真实ip一定在其中
    log_format access '$remote_addr $server_port - $http_host [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent" '
                      '$http_x_forwarded_for|$http_x_real_ip|$limit_key';
    access_log /dev/stdout access;
#添加白名单
    geo $limit {
        default 1;
        192.168.0.0/24 0;
        10.0.0.0/8 0;
        127.0.0.0/8 0;
        43.132.198.237/32 0;
    }
# 先匹配x-forwarded-for中的ip，没匹配到则用remote_addr作为用户ip
    map $http_x_forwarded_for $real_ip {
        default         $remote_addr;
        "~^(?P<ip>[^,]+)" $ip;
    }
# 白名单不限速
    map $limit $limit_key {
        0 "";
        1 $real_ip;
    }

# 限制每个ip请求频率
    limit_req_zone $limit_key zone=req_ip:10m rate=5r/s;
# 限制整个服务的请求频率
    limit_req_zone $server_name zone=req_svr:1m rate=50r/s;
# 超限断开连接
    limit_req_status 444;
# 限制单ip并发连接
    limit_conn_zone $limit_key zone=con_ip:10m;

    server {
# 配置解析dns
        resolver kube-dns.kube-system.svc.cluster.local ipv6=off;
# 配置ssl
        listen 443 ssl;
        ssl_certificate /app/cert.pem;
        ssl_certificate_key /app/cert.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
# 配置证书过期验证在服务器上验证
        ssl_stapling on;
        ssl_stapling_verify on;
# 开启gzip压缩，节省流量
        gzip on;
        gzip_types *;
        gzip_comp_level 6;
        gzip_min_length 256;
        gzip_buffers 16 8k;
        gzip_proxied any;
        gzip_vary on;
        gzip_disable "MSIE [1-6]\.(?!.*SV1)";

# 配置服务匹配的域名
        server_name www.dk8s.com;
        server_name www.dk8s.cn;

# 限制每个链接的下载速率
        limit_rate 100k;
        limit_rate_after 1m;
# 限制单ip的并发连接数
        limit_conn con_ip 40;

        location / {
# 限制单ip的突发为100，排队长度为200
            limit_req zone=req_ip burst=100 delay=200;
# 限制服务的突发为1000，排队长度为2000
            limit_req zone=req_svr burst=1000 delay=2000;
# 传递host
            proxy_set_header Host $host;
# 请求ip作为x-real-ip
            proxy_set_header X-Real-IP $remote_addr;
# 追加nginx的ip到x-forward-for中
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 传递请求协议
            proxy_set_header X-Forwarded-Proto $scheme;
# 传递到后端服务
            proxy_pass http://dk8s-web-svc.default.svc.cluster.local:80;
        }

        location /public/pkg/ {
# 限制客户端下载并发为2
            limit_conn con_ip 2;
            limit_req zone=req_ip burst=10;
            limit_req zone=req_svr burst=100;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://dk8s-res-svc.default.svc.cluster.local:5000/pkg/;
        }
        ...
    }
...
}

}