Time window-based access control in Nginx reverse proxy

With the development of the Internet, more and more applications are deployed in the cloud. How to ensure the security and stability of cloud services has become a key issue. Among them, Nginx, as a high-performance web server and reverse proxy, is widely used in the deployment and management of cloud services. In practical applications, access needs to be restricted in some scenarios, such as frequently accessed IPs, malicious access requests, large-traffic access, etc. This article will introduce an access control method based on time windows to ensure the security and stability of cloud services by limiting the number of accesses within a certain period of time.

1. What is a time window

The time window refers to a method of limiting events within a certain period of time. In access control, access can be restricted based on time windows, for example: a maximum of 10 visits in 1 minute, a maximum of 100 visits in 5 minutes, a maximum of 1,000 visits in an hour, etc. The time window can be adjusted according to actual conditions and is flexible and customizable.

2. Time window access control in Nginx reverse proxy

1. Install the ngx_http_limit_req_module module

Before using nginx time window access control, you need to install it ngx_http_limit_req_module module. This module can control the frequency of arrival of client requests within the same time period. Usually when we install nginx, we will install this module at the same time. If it is not installed, you need to recompile and install nginx. The installation method is as follows:

$ wget http://nginx.org/download/nginx-1.14.0.tar.gz

$ tar zxvf nginx-1.14.0.tar.gz

$ cd nginx-1.14.0/

$ ./configure --prefix=/usr/local/nginx --add-module=../nginx-limit-req-module-master

$ make

$ sudo make install

2. Configure Nginx reverse proxy

In Add the following content to the Nginx reverse proxy configuration file:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

server{
    ...
    location /{
        limit_req zone=one burst=5;
        proxy_pass http://backend;
    }
}

In this configuration, limit_req_zone defines the limit area one, where 10m is the memory size, which can be adjusted according to actual needs. rate=1r/s defines one request per second. Limit_req zone=one burst=5 is added to the location, which means that when the number of requests exceeds 1 second, the excess requests will be processed with a peak value of 5 requests in the subsequent time.

3. Verification time window access control

After the configuration is completed, you can use the ab tool to test, as follows:

$ ab -n 100 -c 10 http://localhost/

This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Finished 100 requests

This command means: send 100 requests, the number of concurrent requests is 10. Test results: If 10 requests are sent within 1 second, the remaining requests will be restricted and a 429 error will be generated, as follows:

$ ab -n 100 -c 10 http://localhost/

This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Finished 100 requests

Server Software:        nginx/1.14.0
Server Hostname:        localhost
Server Port:            80

Document Path:          /
Document Length:        0 bytes

Concurrency Level:      10
Time taken for tests:   0.062 seconds
Complete requests:      100
Failed requests:        9
   (Connect: 0, Receive: 0, Length: 0, Exceptions: 9)
Non-2xx responses:      9
Requests per second:    1617.28 [#/sec] (mean)
Time per request:       6.173 [ms] (mean)
Time per request:       0.617 [ms] (mean, across all concurrent requests)
Transfer rate:          0.00 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    1   0.2      1       1
Processing:     1    5   9.8      3      47
Waiting:        1    5   9.8      3      47
Total:          1    6   9.8      4      47

Percentage of the requests served within a certain time (ms)
  50%      4
  66%      5
  75%      5
  80%      6
  90%     15
  95%     47
  98%     47
  99%     47
 100%     47 (longest request)

3. Summary

Deployment of cloud services and management, access control is crucial. Through the time window-based access control in Nginx reverse proxy, access frequency can be effectively controlled to ensure the security and stability of cloud services. This method can not only limit high-frequency requests, but also limit malicious access requests, effectively improving the reliability and security of cloud services.

The above is the detailed content of Time window-based access control in Nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!