12.1 Limiting Connections | 连接数限制

Problem

You need to limit the number of connections based on a predefined

key, such as the client’s IP address.

问题

基于给定的规则如 IP 地址，实现请求连接数。

Solution

Construct a shared memory zone to hold connection metrics, and

use the limit_conn directive to limit open connections:

http {
    limit\_conn\_zone $binary\_remote\_addr zone=limitbyaddr:10m;    
    limit\_conn\_status 429;    
    ...    
    server {
        ...
        limit\_conn limitbyaddr 40;
        ...
    }
}

This configuration creates a shared memory zone named limitbyaddr.

The predefined key used is the client’s IP address in binary

form. The size of the shared memory zone is set to 10 mega‐

bytes. The limit_conn directive takes two parameters: a

limit_conn_zone name, and the number of connections allowed.

The limit_conn_status sets the response when the connections are

limited to a status of 429, indicating too many

requests. The limit_conn and limit_conn_status directives are

valid in the HTTP, server, and location context.

解决方案

使用 limit_conn_zone 指令构建存储当前连接数的内存区域；然后，

使用 limit_conn 指令设置支持的连接数：

http {
    limit\_conn\_zone $binary\_remote\_addr zone=limitbyaddr:10m;    
    limit\_conn\_status 429;    
    ...    
    server {
        ...
        limit\_conn limitbyaddr 40;
        ...
    }
}

配置中创建了一个名为 limitbyaddr 的存储容量为 10 M 的共享内存，

键名则为客户端二进制的 IP 地址。limit_conn 指令接收两个参数：

一个是 limit_conn_zone 创建的名称 limitbyaddr，和支持的连接数

40。limit_conn_status 指令定义了当连接数超过 40 个时的响应状态

码。limit_conn 和 limit_conn_status 指令能够在 HTTP、server 和

location 上下文中使用。

Discussion

Limiting the number of connections based on a key can be used to

defend against abuse and share your resources fairly across all your

clients. It is important to be cautious of your predefined key. Using

an IP address, as we are in the previous example, could be danger‐

ous if many users are on the same network that originates from the

same IP, such as when behind a Network Address Translation (NAT).

The entire group of clients will be limited. The limit_conn_zone

directive is only valid in the HTTP context. You can utilize any

number of variables available to NGINX within the HTTP context

in order to build a string on which to limit by. Utilizing a variable

that can identify the user at the application level, such as a session

cookie, may be a cleaner solution depending on the use case. The

limit_conn_status defaults to 503, service unavailable. You may

find it preferable to use a 429, as the service is available, and 500-

level responses indicate server error whereas 400-level responses

indicate client error.

结论

合理使用连接数限制，可以是服务器的资源被各个客户端合理使用。使用的关

键在于定义一个合理的存储键名。本例中基于 IP 地址作为存储键名不是一个

好的选择，因为，一旦有许多用户通过同一网络访问服务，便会限制该 IP地址

的所有用户的访问连接数，这很不合理。limit_conn_zone 仅在 http 上下文中

可用可以使用所有的 NGINX 变量来构建限制键名。通过使用能够识别用户会话

的变量如 cookie，有利于合理使用连接控制功能。limit_conn_status 默认

状态码是 503 服务不可用。例子中使用 429 因为服务是可用的，而 500 级

的响应码表示服务器内部错误，而 400 级的响应码表示客户端错误。