Nginx constructed using frequency limiting, speed limits, limit the concurrent application of the protective layer
nginx itself provides the basis for the limit frequency, speed, the ability to limit concurrent connections.
Limit frequency
Uri certain other restrictions based on a client, the client sustained period of time certain number of connections established.
Speed
limit client reads, the data packet transmission speed, the overall, even if the network speed limit.
Concurrent limit
Restrictions while allowing the client to create a connection, to prevent a single client creates too many connections run out of server resources.
Limit frequency
http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
http {
# 定义2条限速区域
# 以 $binary_remote_addr 字段作为限频统计点
# zone=one:10m # 定义区域名称为one,限统计总占用内存10MB
# 限制请求频率为 最多1次/per second
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
# 以 $binary_remote_addr 作为统计限频的依据
# zone=zone2:32m zone名称定为zone2,定义32MB的统计内存占用
# 限制请求频率 最多10次/per minute
limit_req_zone $binary_remote_addr zone=zone2:32m rate=10r/m;
# Sets the desired logging level for cases when the server refuses to
# process requests due to rate exceeding, or delays request processing.
# Logging level for delays is one point less than for refusals;
# for example, if “limit_req_log_level notice” is specified, delays are logged with the info level.
limit_req_log_level info; # default error, <info | notice | warn | error>
limit_req_status 503; # default 503 added from nginx-1.3.15
server {
# ...
location /search/ {
# 使用zone=one的限频规则
limit_req zone=one burst=5;
# limit_req zone=zone2 burst=5 nodelay; # 使用
}
}explain in detail
When the frequency limiting rule definition, you can use the built-in variables $binary_remote_addror user-defined variables.
For example, the use $binary_remote_addr( $binary_remote_addraccording to various data interpretation, is $remote_addra binary form of description, IP address, that is, the string "10.0.12.1" of integer representation, this value will reduce the memory footprint of a single ip, can count more many ip request).
If, according to the desired speed to make other types of conditions, such as $user_agentand the like.
$realip_remote_addr
$remote_addr
$remote_userBuilt-in variable list http://nginx.org/en/docs/varindex.html
Use custom variables
Under normal circumstances, the general in front of our service as well as a layer of protective shield, or other four-story lvs / haproxy and other agents, the direct use $remote_addr/ $binary_remote_addrwill be taken to shield the load balancer or address, the speed limit was supposed to lead to actual users of IP into the rate-limiting for the overall shield.
Year-Shield
Year-Shield is passed X-Connecting-Ipand set the IP address of its request for the first level received.
http://help.yunaq.com/faq/67/index.html
For ease of use by mapthe instruction recorded onto the custom variable$clientRealIp
map $http_x_connecting_ip $clientRealIp {
default $remote_addr;
"~(\d+\.\d+\.\d+\.\d+)" $1;
}Then when the frequency limiting definition, a direct reference to.
limit_req_zone $clientRealIp zone=zoneA:32m rate=30r/m;
limit_req_zone $clientRealIp zone=zoneB:32m rate=6r/m;
# levels info | notice | warn | error; default error
limit_req_log_level notice;Finally, to limit the location of the frequency protection.
server {
location *~ ^/view/ {
limite_req zone=zoneA nodelay;
if ( $limit_req_status = REJECTED ) {
default_type text/plain;
return 419 "frequency limit";
}
proxy_pass http://1.1.1.1:8090;
}
location *~ ^/api/v1/ {
limit_req zone=zoneB burst=3 nodelay;
if ( $limit_req_status = REJECTED ) {
default_type application/json;
return 200 '{"code":419, "status":"failed","message":"频繁访问"}';
}
proxy_pass http://1.1.1.1:8090;
}
}Speed limit
...
Concurrent limit
...
Custom error codes and error pages
...
other
nginx location / map regular, map commissioning tool
docker run -p8080:80 -d --name nginx-regex-tester ruanzx/nginx-regex-tester