CODEWITHSUNDEEP
node.jssecuritynginxipddos
Elie Zgala
Elie Zgala

Reputation: 145

Best way to implement an Real-Time IP Whitelisting System

I want to set up a IP whitelisting system to protect my web server.

There is 3 Layers I can secure: (Internet =>) Firewall => Nginx Reverse Proxy => Node.js Server

In terms of practicality, I'm securing my Node.js server, because I can dynamically Allow/Deny IPs in a Real-Time Firebase Table I edit via a custom web interface. But It doesn't prevent DDoS cleanly because Even though I will return an error to unauthorized IPs, my node server would handle the load directly which is not good...

I would prefer to protect my server in a upper level, like Nginx or Firewall. However, the IP lists are files on the server, and it seems complicated to implement a solution as comfortable as the one I use now.

What do you suggest, and what do you think of my current solution ?

Thanks !

Upvotes: 1

Views: 1050

Answers (1)

sempasha
sempasha

Reputation: 623

There are two ways to build "dynamic" IP filter:

  1. On every request Nginx asks Firebase (or other ip white list source) "does this client in ip white list?". To do so you need one of modules which allow scripting for nginx, like ngx_http_lua_module, ngx_http_perl_module or nginScript;
  2. On every white list update Firebase triggers event, then some application captures event and rebuilds firewall rules or nginx ip filter.

Second way seems stronger to stand before DDoS, but less applicable when ip white list very large and changes are frequent.

Upvotes: 2

Related Questions