This API will secure several flow control, authentication, auditing, authorization, simple over again, these concepts to have a first impression . Behind it will be explained in detail.
Benpian said API security of the flow control ~ first impression.
First, the concept
Flow control, flow control, only the discharge system can handle the number of requests in the past, in a first closed api secure link.
Why do flow control? Ensure the availability of the system, the system to prevent large flow crushed. Flow control position to do the most in front of authentication, auditing, authorization entire security mechanism, flow control in advance, to avoid other unnecessary waste of resources.
If there is no flow control on the first line of stalls line the attacker get a bunch of chicken , launch DDOS attacks, even if you are behind certification, auditing, authorization, no matter how well it may put your service crushed.
For example, the system can only handle 500 requests per second, then put the past 500 requests per second, more direct denial of the request out, so the system will not be crushed. The actual flow control is very complex, not simply the number provided would be finished.
Second, the flow control do what?
Limiting the actual development can be done in many places, such as:
1, in the load balancing to do,
2, on the reverse proxy to do,
Do on limiting load balancing or reverse proxy level, in fact, is generally true for clusters do limiting. For example, you are a user service, when the actual deployment may be four or eight machine-machine cluster, load balancing or reverse proxy cluster level to do is to really do the whole cluster limiting, the entire cluster can sustain much traffic, to be limiting.
3, do on your own application code.
Only for a single node applications do flow control, with a reverse proxy, load balancing, do not a limiting dimension, if equipped, then, the two sides are accompanied by, they do not conflict. Behind the cluster traffic control will be introduced through the frame.
Third, using the Guava do simple current limiting
Dependence on the introduction of the latest guava pom
<!-- https://mvnrepository.com/artifact/com.google.guava/guava --> <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> <version>28.1-jre</version> </dependency>
project:
Write a filter limiting of:
package com.nb.security.filter; import com.google.common.util.concurrent.RateLimiter; import org.springframework.core.annotation.Order; import org.springframework.http.HttpStatus; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * 继承 OncePerRequestFilter 保证过滤器里的逻辑在一个请求里只会被过滤一次 * 在SpringBoot里,任何实现了Filter接口的类,SpringBoot会自动把它加到web应用的过滤器链里,只要声名为Component就行了 */ @Order(1)//执行顺序 @Component public class RateLimitFilter extends OncePerRequestFilter {// //每秒1个请求的限流器 private RateLimiter rateLimiter = RateLimiter.create(1); protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { System.err.println("++++流控++++"); if (rateLimiter.tryAcquire()) { //如果没达到限流阈值,放行 filterChain.doFilter(request, response); } else { response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());//429请过过多 response.getWriter().write("too many request!"); response.getWriter().flush(); return ; } } }
调用用户查询接口,使劲刷新,就返回429
这个是个简单的例子, 实际中的流控,比这个要复杂的多,比如可以根据用户来限流,VIP用户每秒500请求,普通用户每秒50请求,这样大量请求过来了,VIP用户没什么感觉可以正常访问,普通用户就被拒绝了。
代码:https://github.com/lhy1234/springcloud-security/tree/master/nb-user-api
++++++++++++++++++++++++分割线++++++++++++++++++++++++
小结:
1,流控概念:流量控制
2,流控位置:负载均衡、反向代理、应用逻辑
3,guava做简单的限流,对限流有个第一印象