Shulou(Shulou.com)06/01 Report--

This article is to share with you about how to achieve current restriction in Nginx. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Nginx is now one of the most popular load balancers. In the face of the Internet with a sharp increase in traffic, it is also necessary to limit the flow of interfaces, especially for scenarios with high concurrency. There are two main ways to limit the current of Nginx: limit the access frequency and limit the number of concurrent connections.

Current limiting (rate limiting) is the most useful of the many features of NGINX, and it is also one of the features that are often misunderstood and misconfigured. This feature limits the number of HTTP requests that a user can generate in a given period of time. The request can be as simple as a GET request for the home page or a POST request for a login form.

Current restrictions can also be used for security purposes, such as slowing down brute force password cracking attacks. Help prevent DDoS attacks by limiting the rate of incoming requests and (in conjunction with the log) marking the target URLs. Generally speaking, current limiting is used to protect upstream application servers from being obliterated by a large number of user requests at the same time.

How does NGINX current limit work

NGINX current limiting uses leaky bucket algorithm (leaky bucket algorithm), which is widely used in communication and packet-based computer networks to deal with emergencies when bandwidth is limited. The principle is very similar to a bucket that enters water from above and leaks from below; if the rate of water intake is greater than the rate of leakage, the bucket will overflow.

During request processing, water represents requests from the client, while buckets represent a queue in which requests are processed according to the first-in, first-out (FIFO) algorithm. The leaking water represents the request to leave the buffer and is processed by the server, and the overflow means that the request is discarded and never served.

1. Limit the frequency of access (normal traffic)

In Nginx, we use ngx_http_limit_req_module module to limit the access frequency of requests, which is based on the principle of leaky bucket algorithm. Next, we use the nginx limit_req_zone and limit_req instructions to limit the request processing rate of a single IP.

Syntax: limit_req_zone key zone rate

Key: defines a current-limiting object. Binary_remote_addr is a key that limits current based on remote_addr (client IP). The purpose of binary_ is to compress memory usage.

Zone: defines a shared memory area to store access information. MyRateLimit:10m represents a 10m memory area named myRateLimit. 1m can store access information of 16000 IP addresses, and 10m can store 16W IP address access information.

Rate is used to set the maximum access rate, and rate=10r/s means to process up to 10 requests per second. Nginx actually tracks request information at a granularity of milliseconds, so 10r/s is actually a limit: one request is processed every 100ms. This means that since the last request has been processed, if another request arrives within the next 100 milliseconds, the request will be rejected.

Second, limit the access frequency (burst traffic)

According to the above configuration, when the traffic suddenly increases, the excess requests will be rejected and cannot handle the burst traffic, so what should be done when dealing with the burst traffic? Nginx provides burst parameters to solve the problem of burst traffic, and is used together with nodelay parameters. Burst translates as burst, burst, and indicates the number of additional requests that can be processed after the set processing rate is exceeded.

Burst=20 nodelay said that the 20 requests were processed immediately and could not be delayed, which is tantamount to doing something special. However, even if these 20 sudden requests are processed immediately, subsequent requests will not be processed immediately. Burst=20 is equivalent to 20 pits in the cache queue, and even if the request is processed, these 20 locations can only be released by 100ms. This achieves the effect that the rate is stable, but the sudden flow can also be handled normally.

Third, limit the number of concurrent connections

Nginx's ngx_http_limit_conn_module module provides the ability to limit the number of resource connections, using the limit_conn_zone and limit_conn instructions.

Limit_conn perip 20: the corresponding key is $binary_remote_addr, which means that a single IP can hold up to 20 connections at the same time. Limit_conn perserver 100: the corresponding key is $server_name, indicating the total number of concurrent connections that the virtual host (server) can handle at the same time. Note that this connection is counted only when the request header is processed by the back-end server.

Thank you for reading! This is the end of the article on "how to achieve current restriction in Nginx". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.