How to automatically deny ip address by parsing nginx log file
I have 4 webservers behind cloud flag and loadbalancer, nginx is webserver, php-fpm manages php pages. I don't know how to block a simple dos attack ...
I can detect this attack using the http_limit_req module from nginx http://wiki.nginx.org/HttpLimitReqModule
but that doesn't block the attack at all, yes it can mitigate, but the webservers get hit and hit again and php-fpm goes up to 80% and after a minute the site is unavailable.
I am trying to find a way to block this request.
I know how to block a specific IP or a specific useragent with nginx, but I want to do it automatically. I think I cant block ip using iptables because the request is coming from loadbalancer :( but I can still figure out the correct IP using set_real_ip_from and real_ip_header X-Forwarded-For with nginx.
I have a log file (error.log) populated with the correct IP address, as you can see:
2012/03/27 18:34:02 [error] 31234 # 0: * 1283 restriction of connections by zone "intermediate", client: XX.XX.XX.XXX, server: www.xxxxxxx.com, request: "HEAD / it HTTP / 1.1 ", host:" www.xxxxxxx.com "
Anyone have an idea and can teach me how to automatically block this ip?
source to share