Shulou(Shulou.com)06/01 Report--

Editor to share with you how nginx to achieve request restrictions, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

One, background

We often encounter this situation, such as abnormal server traffic, overload and so on. For malicious attack access with large traffic, it will bring waste of bandwidth, server pressure, and affect business, so it is often considered to limit the number of connections and concurrency of the same ip. Http_limit_conn_module module to achieve. The module can limit the number of connections per key value according to the defined keys, just like the number of connections from an IP source. Not all connections are counted by the module, only those requests that are being processed (the header information of these requests has been fully read) are counted. Http_limit_req_module module, which can limit the frequency of request processing by defining key values. In particular, you can limit the frequency of request processing from a single IP address. The method of restriction is like a funnel, which processes a fixed number of requests per second and delays too many requests.

Second, configuration syntax

1the instruction interpretation of the instruction of the normal module

Limit_conn_zone

Syntax: limit_conn_zone $variable zone=name:size

Default value: none

Configuration segment: http

This directive describes the session state storage area. The current number of connections is saved in the state of the key, and the value of the key can be any non-null value of a particular variable (null values will not be considered). $variable defines the key, and zone=name defines the region name, which will be used in the following limit_conn instructions. Size defines the amount of shared memory space for each key. Such as:

Limit_conn_zone $binary_remote_addr zone=addr:10m

Note: the client's IP address is used as the key. Note that the $binary_remote_addr variable is used here instead of the $remote_addr variable.

The length of the $remote_addr variable is from 7 bytes to 15 bytes, while the storage state occupies 32 or 64 bytes on 32-bit platforms and 64 bytes on 64-bit platforms.

The length of the $binary_remote_addr variable is fixed 4 bytes, and the storage state occupies 32 or 64 bytes on 32-bit platforms and 64 bytes on 64-bit platforms.

1m space can hold 32000 32-bit states and 16000 64-bit states.

If the shared memory space is exhausted, the server will return a 503 (Service Temporarily Unavailable) error for all subsequent requests.

The limit_zone instruction has the same meaning as the limit_conn_zone instruction and has been deprecated, so it is no longer explained.

Limit_conn_log_level

Syntax: limit_conn_log_level info | notice | warn | error

Default value: error

Configuration segment: http, server, location

The level at which the log is recorded when the maximum number of connections is reached.

Limit_conn

Syntax: limit_conn zone_name number

Default value: none

Configuration segment: http, server, location

Specifies the maximum number of simultaneous connections for each given key value, and a 503 (Service Temporarily Unavailable) error is returned when this number is exceeded. Such as:

Limit_conn_zone $binary_remote_addrzone=addr:10m;server {location / www.baidu.com/ {limit_conn addr 1;}}

Only one connection is allowed for the same IP at a time.

When multiple limit_conn instructions are configured, all connection limits take effect. For example, the following configuration limits not only the number of connections from a single IP source, but also the total number of connections to a single virtual server:

Limit_conn_zone $binary_remote_addr zone=perip:10m;limit_conn_zone $server_name zone=perserver:10m;server {limit_conn perip 10; limit_conn perserver 100;}

[warning] the limit_conn instruction can be inherited from the superior. [/ warning]

Limit_conn_status

Syntax: limit_conn_status code

Default value: limit_conn_status 503

Configuration segment: http, server, location

This specification was introduced in version 1.3.15. Specifies the status code to return when the limit is exceeded. The default is 503.

Limit_rate

Syntax: limit_rate rate

Default value: 0

Configuration segment: http, server, location, if in location

The rate limit for each connection. The parameter rate is in bytes per second, and setting to 0 turns off the speed limit. Speed limit by connection instead of IP limit, so if a client opens two connections at the same time, the overall rate of the client is twice the value set by this instruction.

Complete instance configuration

Http {limit_conn_zone$binary_remote_addrzone=limit:10m; limit_conn_log_level info; server {location ^ ~ / download/ {limit_conn limit 4; limit_rate 200k; / data/www.baidu.com/download/;}

Matters needing attention

All affairs have two sides. Although the http_limit_conn_module module can solve the current concurrency problems, it will introduce other problems. For example, if the front end does LVS or reverse generation, and our back end enables the module function, isn't that a lot of 503 errors? In this way, you can enable the module at the front end, or set the whitelist, which can be set in the following documentation.

2directive ngxinstruction httpspeak module instruction

Limit_req_zone

Syntax: limit_req_zone $variable zone=name:size rate=rate

Default value: none

Configuration segment: http

Set a shared memory limit field to hold the state parameters of the key value. In particular, the number that currently exceeds the request has been saved. The value of the key is the specified variable (null values are not calculated). Such as

Limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s

Description: the region name is one, the size is 10m, and the average request frequency cannot be processed more than once per second.

The key value is the client IP.

Using the $binary_remote_addr variable, you can reduce the size of each state record to 64 bytes, so that 1m of memory can hold about 16,000 64-byte records.

If the storage space for the restricted domain runs out, the server returns a 503 (Service Temporarily Unavailable) error for all subsequent requests.

The speed can be set to requests per second and requests per minute, and the value must be an integer, so if you need to specify less than one request per second and one request per second, you can use "30r/m".

Limit_req_log_level

Syntax: limit_req_log_level info | notice | warn | error

Default value: limit_req_log_level error

Configuration segment: http, server, location

Set the log level you want, and write down the log level when the server rejects or delays processing requests because of high frequency. The log level of delayed logging is one level lower than that rejected; for example, if "limit_req_log_level notice" is set, delayed logging is info level.

Limit_req_status

Syntax: limit_req_status code

Default value: limit_req_status 503

Configuration segment: http, server, location

This directive was introduced in version 1.3.15. Sets the response status code for the reject request.

Limit_req

Syntax: limit_req zone=name [burst=number] [nodelay]

Default value:-

Configuration segment: http, server, location

Set the corresponding shared memory limit domain and the maximum number of requests allowed to be processed. If the frequency of requests exceeds the limit domain configuration value, request processing is delayed, so all requests are processed at a defined frequency. Requests that exceed the frequency limit are delayed until the number of delayed requests exceeds the defined threshold, at which point the request is terminated with a 503 (Service Temporarily Unavailable) error. The default value for this threshold is 0. Such as:

Limit_req_zone $binary_remote_addr zone=creq:10 mrate=1r/s;server {location / www.baidu.com/ {limit_req zone=creq burst=5;}}

The average limit is no more than one request per second, and no more than 5 requests are allowed to exceed the frequency limit.

If you do not want more requests to be delayed, you can use the nodelay parameter, such as:

Limit_req zone=ttlsa_com burst=5 nodelay

Complete instance configuration

Http {limit_req_zone $binary_remote_addr zone=creq:10m rate=1r/s; server {location ^ ~ / download/ {limit_req zone=creq burst=5; data/www.baidu.com/download/;}}

There may be no restrictions on some IP, and you need to use whitelists.

The above is all the content of the article "how to achieve request restrictions in nginx". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.