Life "limiting"?
Current limit is not new, but also everywhere in life, exemplified below themselves:
- Museums: Limit total number of visitors every day to protect the cultural relics
- High-speed rail security: There are a number of security checkpoints, passengers line up, the staff decided to go based on whether or not to release the security speed. Met holidays, can increase the checkpoint to increase processing capacity (horizontal expansion), while increasing the length of the waiting area (cache tasks to be processed).
- Transact banking business: Everyone, first-served number, called number each window treatment. Each window processing speed based on customer specific business may be, everyone waiting in line number can be called. If fast work, inform the customer again tomorrow (deny traffic).
- Dam spillway: dam spillway may be controlled by the shutter speed (the speed control processing). More "limited flow" example, enables service providers and stable customer service.
Nginx limiting
Nginx limiting provides two ways, one is to control the rate, the second is to control the number of concurrent connections.
Control rate
Normal current limit
ngx_http_limit_req_module restriction request processing module provides the ability to rate, the leaky bucket algorithm using (leaky bucket). The following examples and using nginx limit_req_zone limit_req two instructions, restriction request processing rate of a single IP.
Add nginx.conf http in limiting configuration:
format:limit_req_zone key zone rate
http {
limit_req_zone $binary_remote_addr zone=myRateLimit:10m rate=10r/s;
}
复制代码Configuration server, use the instruction of the application limit_req limiting.
server {
location / {
limit_req zone=myRateLimit;
proxy_pass http://my_upstream;
}
}
复制代码- key: definition of limiting objects, binary_remote_addr is a key, based on REMOTE_ADDR represents (Client IP) do limiting, binary_ purpose is to compress the memory footprint.
- zone: the definition of a shared memory area for storing access information, myRateLimit: 10m represented a size 10M, named myRateLimit memory area. 1M memory can access information 16000 IP address, 10M 16W IP addresses can be stored access information.
- for setting the maximum rate access rate, rate = 10r / s represents the maximum of 10 requests per second. In fact Nginx milliseconds granularity tracking request message, so 10r / s are a restriction: processing a request every 100 milliseconds. This means that, on a request from the processing completed, if there are subsequent requests arrive within 100 milliseconds, will refuse to process the request.
Handle bursty traffic
Examples of the above limitations 10r / s, sometimes if the normal flow is suddenly increased beyond the request will be rejected, the burst can not handle traffic burst parameters may be combined to solve the problem.
server {
location / {
limit_req zone=myRateLimit burst=20;
proxy_pass http://my_upstream;
}
}
复制代码translated sudden burst broke, represents the number of requests in the processing rate can exceed the set additional processing. When rate = 10r / s, split into 10 parts to 1s, 100ms per 1 can handle the request.
Here, burst = 20, if there are 21 request arrives simultaneously, Nginx will process the first request, the remaining requests in the queue 20, and then acquires a request for processing from the queue every 100ms. If the request number is greater than 21, the excess will refuse to process a request, returns 503 directly.
However, using burst parameter alone is not practical. Suppose burst = 50, rate still is 10r / s, the request queue 50 every 100ms Although the process will be one, but the first 50 requests it needs to wait i.e. 50 * 100ms 5s, such a long treatment time naturally unacceptable.
Thus, burst often used in conjunction with nodelay.
server {
location / {
limit_req zone=myRateLimit burst=20 nodelay;
proxy_pass http://my_upstream;
}
}
复制代码nodelay parameters for the burst, burst = 20 nodelay 20 indicates that this request immediately processed, not delay, equivalent on everything. However, even if 20 burst request process ends immediately subsequent to the request will not be processed immediately. burst = 20 corresponds to the buffer queue up 20 pit, even when the request is processed, and the 20 positions which can be released by a 100ms.
This reached a steady rate, but the effect is the sudden traffic can be properly handled.
Limit number of connections
ngx_http_limit_conn_module provides the ability to limit the number of connections using the two instructions can limit_conn_zone and limit_conn. Here is an example of official Nginx:
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
server {
...
limit_conn perip 10;
limit_conn perserver 100;
}
复制代码limit_conn perip 10 function key is $ binary_remote_addr, represents a single IP limit while holding up to 10 connections.
key 100 effects limit_conn perserver is $ server_name, represents the virtual host (server) at the same time be able to handle the total number of concurrent connections.
Note that: only when the rear end of the request header is processed server, the connection was counted.
Whitelist
Mainly for limiting external access, network access is relatively safe, can not limiting, by setting the white list can be. Nginx ngx_http_geo_module ngx_http_map_module using two tools and modules to get.
Configuring the Whitelist section at http nginx.conf of:
geo $limit {
default 1;
10.0.0.0/8 0;
192.168.0.0/24 0;
172.20.0.35 0;
}
map $limit $limit_key {
0 "";
1 $binary_remote_addr;
}
limit_req_zone $limit_key zone=myRateLimit:10m rate=10r/s;
复制代码For geo white list (or IP subnets may be) will return 0, else returns an IP.
The map limit_key, if the limit is $ 0 (white list), returns the empty string; If 1, the actual IP client is returned.
key limit_req_zone current limit is no longer used limit_key dynamically acquire values. If the white list, limit_req_zone limiting key or an empty string, not limiting; if not white list, the client real IP will be limiting.
Further Reading
In addition to limiting outside, ngx_http_core_module also it provides the ability to limit data transmission speed (that is often said download speed).
E.g:
location /flv/ {
flv;
limit_rate_after 20m;
limit_rate 100k;
}
复制代码This restriction is for each request, 20M indicates when the client is not limited speed, subsequent restriction 100kb / s before the end of the download. At last: