Home  >  Article  >  Operation and Maintenance  >  How Nginx limits http resource requests

How Nginx limits http resource requests

王林
王林forward
2023-05-17 12:16:061025browse

Prerequisite: nginx needs to have the ngx_http_limit_conn_module and ngx_http_limit_req_module modules. You can use the command 2>&1 nginx -v | tr ' ' '\n'|grep limit to check whether there are corresponding modules. If not, please recompile and install these two module.

The test version is: nginx version is 1.15

Limit the number of links

1. Use The limit_conn_zone directive defines the key and sets parameters for the shared memory zone (worker processes will use this zone to share a counter of key values). The first parameter specifies the expression to be evaluated as the key. The second parameter zone specifies the name and size of the zone:

limit_conn_zone $binary_remote_addr zone=addr:10m;

2. Use the limit_conn directive in the context of location {}, server {} or http {} to apply the limit. The first parameter is the value set above. The specified shared memory area name. The second parameter is the number of links allowed for each key:

location /download/ {
 limit_conn addr 1;
}

When using the $binary_remote_addr variable as a parameter, it is based on the restriction of the ip address. You can also use the $server_name variable. Limit the number of connections to a given server:

http {
 limit_conn_zone $server_name zone=servers:10m;

 server {
 limit_conn servers 1000;
 }
}

Limit request rate

Rate limiting can be used to prevent ddos, cc attacks, or to prevent upstream servers from being attacked at the same time Flooded with too many requests. This method is based on the leaky bucket algorithm, where requests arrive at the bucket at various rates and leave the bucket at a fixed rate. Before using rate limiting, you need to configure the global parameters of the "leaky bucket":

  • key - a parameter used to distinguish one client from another, usually the variable

  • shared memory zone - The name and size of the zone that holds the state of these keys (i.e. the "leaky bucket")

  • rate - Number of requests per second ( The request rate limit specified in r/s) or requests per minute (r/m) ("leaky bucket draining"). Requests per minute specifies a rate of less than one request per second.

These parameters are set using the limit_req_zone directive. This directive is defined at the http {} level - this approach allows applying different zones and requesting overflow parameters to different contexts:

http {
 #...

 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
}

With this configuration, a 10m bytes size with the name one will be created Shared memory area. This area holds the state of the client ip address set using the $binary_remote_addr variable. Note that $remote_addr also contains the client's IP address, while $binary_remote_addr holds a shorter binary representation of the IP address.

The optimal size of the shared memory area can be calculated using the following data: The value size of $binary_remote_addr ipv4 address is 4 bytes, and the storage state on 64-bit platforms takes up 128 bytes. Therefore, state information for approximately 16000 IP addresses takes up 1m bytes of this area.

If storage space is exhausted when nginx needs to add new entries, the oldest entries will be deleted. If the freed space is still not enough to accommodate the new record, nginx will return a 503 service unavailable status code, which can be redefined using the limit_req_status directive.

Once this zone is set, you can limit the request rate using the limit_req directive anywhere in the nginx configuration, especially server {}, location {} and http {} Context:

http {
 #...

 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

 server {
 #...

 location /search/ {
  limit_req zone=one;
 }
 }
}

Using the above configuration, nginx will process no more than 1 request per second under the /search/ route, and the way to delay processing these requests is that the total rate is no greater than the set rate. nginx will delay processing such requests until "bucket" (shared bucket one) is full. For requests to the full bucket, nginx will respond with a 503 service unavailable error (when limit_req_status does not have a custom set status code).

Limit bandwidth

To limit the bandwidth per connection, use the following limit_rate directive:

location /download/ {
 limit_rate 50k;
}

With this setting, the client Will be able to download content at speeds of up to 50k/sec over a single connection. However, clients can open multiple connections to bypass this limit. Therefore, if the goal is to prevent download speeds greater than a specified value, the number of connections should be limited as well. For example, one connection per IP address (if using the shared memory region specified above):

location /download/ {
 limit_conn addr 1;
 limit_rate 50k;
}

To impose a limit only after the client has downloaded a certain amount of data, use the limit_rate_after directive. It might be reasonable to allow the client to quickly download a certain amount of data (e.g. file header - movie index) and limit the rate at which the rest of the data is downloaded (making the user watch the movie instead of downloading).

limit_rate_after 500k;
limit_rate 20k;

The following example shows a combined configuration for limiting the number of connections and bandwidth. The maximum number of connections allowed is set to 5 connections per client address, which works for most common cases as modern browsers typically have a maximum of 3 connections open at a time. At the same time, the location provided for download only allows one connection:

http {
 limit_conn_zone $binary_remote_address zone=addr:10m

 server {
 root /www/data;
 limit_conn addr 5;

 location / {
 }

 location /download/ {
  limit_conn addr 1;
  limit_rate_after 1m;
  limit_rate 50k;
 }
 }
}

The above is the detailed content of How Nginx limits http resource requests. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete