Shulou(Shulou.com)06/01 Report--

This article mainly introduces how Nginx uses limit_req_zone to limit the flow of the same IP access. The article is very detailed and has certain reference value. Interested friends must read it!

nginx can use the limit_req_zone command of the ngx_http_limit_req_module module to limit access to prevent users from maliciously attacking the server. The ngx_http_limit_req_module module is installed by default on nginx, so you can configure it directly.

First, configure it under http module in nginx.conf file

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

Note: The area name is one (custom), the space size is 10m, and the average request frequency processed cannot exceed once per second.

$binary_remote_addr is the binary format of $remote_addr (client IP), which takes up a fixed 4 bytes (probably the C language long type length). $remote_addr is stored as a string and takes 7-15 bytes. So it seems that using $binary_remote_addr can save space, but the Internet also said that 64-bit systems are occupied 64 bytes, not clear, in short, try to use $binary_remote_addr it.

Second, configure it under the submodule server of http module.

location ~* .htm$ {limit_req zone=one burst=5 nodelay;proxy_pass http://backend_tomcat;}

I am limiting the current of the request with uri suffix htm, note limit_req zone=one burst=5 nodelay;

where zone=one corresponds to the previous definition.

Burst is something that people say on the Internet, but through personal experiments, I found that it is not accurate to say so. It should be called buffer queue length.

Nodelay literally means no delay, specifically no delay in processing user-initiated requests, but immediate processing. For example, I defined rate=1r/s above, i.e. only 1 request per second. If two requests come at the same time with the suffix htm, both requests will be processed immediately if nodelay is set. If nodelay is not set, the rate=1r/s configuration is strictly enforced, that is, only one request is processed, and then another request is processed the next second. Intuitively, the page data card was loaded after a second.

The configurations that really contribute to current limiting are rate=1r/s and burst=5. Let's analyze specific cases below.

At one point two requests arrive at nginx at the same time, one of which is processed and the other placed in a buffer queue. Although the second request is also processed instantaneously due to the configuration of nodelay, it still occupies a length of the buffer queue. If no request comes in the next second, the space occupying a length of burst will be released, otherwise it can only continue to occupy the space of burst. After the burst space occupies more than 5, the request will be rejected directly by nginx and the 503 error code will be returned.

It can be seen that if two more requests come in the second, one of them occupies another burst space, and two requests come in the third, fourth and fifth seconds. Although both requests are processed (because nodelay is configured), one of them still occupies a burst length, and the entire burst length =5 is occupied five seconds later. Two more requests came in six seconds, and one of them was rejected.

This is my inference based on the actual test results, which may be different from the real theory, but I think it is easier to understand. Have a clear friend welcome to inform!

The $binary_remote_addr used here is when there is no proxy layer between the client and nginx. If you configured a CDN before nginx, then the value of $binary_remote_addr is the IP address of the CDN. That's not the right way to limit the current. It is necessary to obtain the real IP of the user for current limiting.

A brief description is as follows:

##Get the IP address map of the original user here $http_x_forwarded_for $clientRealIp {"" $remote_addr;~^(? P[0-9\.]+),?.*$$ firstAddr;}##Limit the original user IP address limit_req_zone $clientRealIp zone=one:10m rate=1r/s;

Similarly, we can use the limit module to limit the flow of web crawlers.

http module

limit_req_zone $anti_spider zone=anti_spider:10m rate=1r/s;

server module

location / {limit_req zone=anti_spider burst=2 nodelay;if ($http_user_agent ~* "spider|Googlebot") {set $anti_spider $http_user_agent;}}

You can test it with curl -I -A "Baiduspider" www.remotejob.cn/notice.jsp

The above is "Nginx how to use limit_req_zone to limit the same IP access" all the content of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.