1. Limit the number of ip accesses in the same time period
nginx can limit the number of accesses of ip in the same time period by ngx_http_limit_conn_moduleand configuration.ngx_http_limit_req_module
ngx_http_limit_conn_module : This module is used to limit the number of connections per defined key, especially for a single IP address. Use the limit_conn_zone and limit_conn directives.
ngx_http_limit_req_module : Used to limit the processing rate of requests per defined key, especially requests from a single IP address. Use the "leak bucket" method for confinement. Instructions: limit_req_zone and limit_req.
ngx_http_limit_conn_module: Limit the number of connections for a single IP Example:
http {
limit_conn_zone $binary_remote_addr zone=addr:10m;
#Define a limit_req_zone named addr to store sessions, the size is 10M memory,
#With $binary_remote_addr as the key,
#nginx 1.18 and later replace limit_conn with limit_conn_zone,
#And can only be placed in the http{} code segment.
...
server {
...
location /download/ {
limit_conn addr 1; #Connection limit
#Set the shared memory area for the given key and the maximum number of connections allowed. When this limit is exceeded, the server will return a 503 (Service Temporarily Unavailable) error.
# The server will return a 503 (Service Temporarily Unavailable) error if the zone is running out of storage space
}
There may be several limit_conn directives, the following configuration will limit the number of connections to the server per client IP, while limiting the total number of connections to the virtual server:
http {
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m
...
server {
...
limit_conn perip 10; #The number of connections between a single client ip and the server.
limit_conn perserver 100; # Limit the total number of connections to the server
}
Reference documentation: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
ngx_http_limit_req_module: Limit the number of requests for a single IP within a certain period of time .
Example:
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
...
#Define a limit_req_zone named one to store sessions, the size is 10M memory,
# With $binary_remote_addr as the key, limit the average request per second to 1,
#1M can store 16000 states, the value of rete must be an integer,
server {
...
location /search/ {
limit_req zone=one burst=5;
#Limit no more than 1 request per second per ip, and the number of leaked buckets burst is 5, which is the queue.
#nodelay, if this option is not set, the average rate is strictly used to limit the number of requests, and the excess requests are delayed.
#For a chestnut:
#Set rate=20r/s, the number of requests per second is 20, the number of leaking buckets burst is 5,
#brust means that if the number of requests in the 1st, 2, 3, and 4 seconds is 19, and the number of requests in the 5th second is 25, it can be understood as 20+5
#But if you make 25 requests in the 1st second, the request exceeding 20 in the 2nd second returns a 503 error.
# The server will return a 503 (Service Temporarily Unavailable) error if the zone is running out of storage space
# The rate is specified in requests per second (r/s). If a rate of less than one request per second is required, specify it in requests per minute (r/m).
}
It is also possible to limit the processing rate of requests from a single IP address, while limiting the request processing rate of the virtual server:
http {
limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s;
limit_req_zone $server_name zone=perserver:10m rate=10r/s;
...
server {
...
limit_req zone=perip burst=5 nodelay; #The number of leaking buckets is 5. That is, the number of queues. nodelay: Do not enable delay.
limit_req zone=perserver burst=10; #limit the processing rate of nginx to 10 per second
}
2. Prohibit ip or ip network segment
1. Find the ip method of all visitors to the server:
awk '{print $1}' nginx_access.log |sort |uniq -c|sort -nnginx.access.log is the path where the nginx access log file is located
The following results will be obtained. The front is the number of ip visits, and the back is the ip. Obviously, we need to block the ip with the most visits and not the ip of the spider, as shown in the following result.
If 66.249.79.84 is not a spider, it needs to be blocked:
89 106.75.133.167
90 118.123.114.57
91 101.78.0.210
92 116.113.124.59
92 119.90.24.73
92 124.119.87.204
119 173.242.117.145
4320 66.249.79.84
2. How to block IP
Under the installation directory of nginx, create a new shielded ip file and name it guolv_ip.conf. You only need to edit this file to add a shielded ip in the future. Add the following and save:
deny 66.249.79.84 ; Add the following configuration to the nginx configuration file nginx.conf, which can be placed in the http, server, location, limit_except statement block, and need to pay attention to the relative path. In this example, nginx.conf and guolv_ip.conf are in the same directory.
include guolv_ip.conf; Save the nginx.conf file and test whether the current nginx configuration file is valid:
nginx -tIf there is no problem with the configuration, it will output:
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successfulIf there is a problem with the configuration, you need to check where there is a syntax problem. If there is no problem, you need to execute the following command to reload the nginx configuration file:
service nginx reload3. Note:
The configuration file for blocking ip can block either a single ip or an ip segment, or only allow a certain ip or a certain ip segment to access.
//屏蔽单个ip访问
deny IP;
//允许单个ip访问
allow IP;
//屏蔽所有ip访问
deny all;
//允许所有ip访问
allow all;
//屏蔽整个段即从123.0.0.1到123.255.255.254访问的命令
deny 123.0.0.0/8
//屏蔽IP段即从123.45.0.1到123.45.255.254访问的命令
deny 124.45.0.0/16
//屏蔽IP段即从123.45.6.1到123.45.6.254访问的命令
deny 123.45.6.0/24
//如果你想实现这样的应用,除了几个IP外,其他全部拒绝,
//那需要你在guolv_ip.conf中这样写
allow 1.1.1.1;
allow 1.1.1.2;
deny all; 单独网站屏蔽IP的方法,把include guolv_ip.conf; 放到网址对应的在server{}语句块,
所有网站屏蔽IP的方法,把include guolv_ip.conf; 放到http {}语句块。Reference: http://www.nginx.cn/2487.html