How to Use Nginx to Restrict Malicious Access: IP Blocking, DDoS Mitigation, SQL Injection and XSS Prevention
This guide explains how to configure Nginx to block malicious IPs, mitigate DDoS attacks, limit request rates and body size, and prevent SQL injection and XSS attacks by using blacklist files, conditional rules, connection and request limits, and security headers.
Malicious access refers to attackers targeting a website or network service to gain illegal access or disrupt normal operation. To protect server network security, Nginx can be configured to restrict such malicious traffic.
Using Nginx to Restrict IPs
1. Configure IP blacklist
Add a blacklist in the Nginx configuration file ( /etc/nginx/nginx.conf ) within the http block:
<code>http {
...
# black list
geo $not_allowed_ip {
default 0;
include /etc/nginx/not_allowed_ip.txt;
}
...
}</code>This defines a variable $not_allowed_ip whose values are read from not_allowed_ip.txt .
2. Edit the IP blacklist file
Open the file and add IPs separated by semicolons:
<code>sudo nano /etc/nginx/not_allowed_ip.txt</code><code>192.168.0.1;
192.168.0.2;</code>Save and close the editor after editing.
3. Add IP restriction rule
Use an if directive inside a server block to return a 403 status for blacklisted IPs:
<code>http {
...
server {
...
# access control list
if ($not_allowed_ip) {
return 403;
}
...
}
...
}</code>4. Reload Nginx
After saving the configuration, reload Nginx to apply changes:
<code>sudo systemctl reload nginx</code>Using Nginx to Defend Against DDoS Attacks
1. Limit concurrent connections per IP
<code>http {
...
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
...
server {
...
limit_conn conn_limit_per_ip 10;
...
}
...
}</code>This creates a shared memory zone conn_limit_per_ip and limits each IP to 10 simultaneous connections.
2. Limit request rate per IP
<code>http {
...
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=1r/s;
...
server {
...
limit_req zone=req_limit_per_ip burst=10 nodelay;
...
}
...
}</code>Requests are limited to 1 per second with a burst of up to 10.
3. Limit request body size
<code>http {
...
# limit body size
client_max_body_size 10m;
...
}</code>Uploads larger than 10 MB are rejected.
Using Nginx to Defend Against SQL Injection and XSS Attacks
1. Prevent SQL injection
<code>http {
...
server {
...
if ($query_string ~ "union.*select.*\(") {
return 403;
}
if ($query_string ~ "cookies|document|base64") {
return 403;
}
...
}
...
}</code>Two if statements check the query string for suspicious patterns and block the request with a 403 status.
2. Prevent XSS attacks
<code>http {
...
server {
...
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
...
}
...
}</code>These headers disable MIME sniffing, enable XSS protection, and restrict framing to the same origin.
Summary
The article demonstrates how to use Nginx to implement various security measures—IP blacklisting, DDoS mitigation, request rate and body size limits, and defenses against SQL injection and XSS—thereby strengthening the protection of web services.
php中文网 Courses
php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.