How to limit the number of IP accesses in redis

Sometimes we need to limit the frequency of access to an api or page, such as how many times a single IP or a single user can access in one minute. Similar requirements can be easily achieved with Redis.

Strategy 1:

Save a count value (int) in redis, the key is user:$ip, and the value is the number of times the ip has been accessed. When setting the key for the first time, set expires.

Before adding 1 to the count, determine whether the key exists. If it does not exist, there are two situations: 1. The IP has not been accessed; 2. The IP has been accessed, but the key has expired. Then you need to set expires again at this time.

If the user accesses, determine whether the value of count is greater than the upper limit. If it is lower than the upper limit, process the request, otherwise, refuse to process the request.

Strategy 2:

Consider this situation, assuming that users are only allowed to access 100 times within 60 seconds. If a user accesses 1 time in the 1st second, in the 59th At 61 seconds, it was accessed 99 times, and then at 61 seconds, it was accessed 100 times.

If processed according to policy 1, 100 requests were received between the 1st and 60th seconds, and 100 requests were received at the 61st second, so during the period 62~120, the IP will no longer be processed. ask.

It seems to be no problem, but if you think about it carefully, 99 100 = 199 requests were accepted between the 59th and 61st seconds, and the time interval is only 3 seconds. In this case, there is a problem with the original design.

Solution: You can use the list (bidirectional queue) data structure of redis. The key is user:$ip, that is, a bidirectional queue is set up for each ip. Every time a request arrives, the following judgment is made:

1. If the number of elements in the list is less than 100, then the timestamp Lpush when the request arrives is added to the list.

2. If there are more than 100 elements in the list, then take out Lindex (-1), which is the rightmost one, which is the timestamp of the earliest request among the 100 requests. If the earliest timestamp If the difference from the current timestamp is more than 60 seconds, it means that the first request has expired, and the first request will be dequeued Rpop. Then enqueue the current timestamp to Lpush.

For more redis knowledge, please pay attention to the redis introductory tutorial column.

The above is the detailed content of How to limit the number of IP accesses in redis. For more information, please follow other related articles on the PHP Chinese website!