2.2 Limiting Rate 限速
Problem
You need to limit the rate of requests by predefined key, such as the
client’s IP address.
问题
依据某些规则对用户请求进行限速,如通过用户 IP 地址进行限速。
Solution
Utilize the rate-limiting module to limit the rate of requests:
http {
limit\_req\_zone $binary\_remote\_addr zone=limitbyaddr:10m rate=1r/s;
limit\_req\_status 429;
...
server {
...
limit\_req zone=limitbyaddr burst=10 nodelay;
...
}
}
This example configuration creates a shared memory zone named
limitbyaddr. The predefined key used is the client’s IP address in
binary form. The size of the shared memory zone is set to 10 mega‐
bytes. The zone sets the rate with a keyword argument. The
limit_req directive takes two optional keyword arguments: zone
and burst. zone is required to instruct the directive on which shared
memory request limit zone to use. When the request rate for a given
zone is exceeded, requests are delayed until their maximum burst
size is reached, denoted by the burst keyword argument. The burst
keyword argument defaults to zero. limit_req also takes a third
optional parameter, nodelay. This parameter enables the client to
use its burst without delay before being limited. limit_req_status
sets the status returned to the client to a particular HTTP status
code; the default is 503. limit_req_status and limit_req are valid
in the context of HTTP, server, and location. limit_req_zone is
only valid in the HTTP context.
解决方案
利用 rate-limiting 模块实现对请求限速:
http {
limit\_req\_zone $binary\_remote\_addr zone=limitbyaddr:10m rate=1r/s;
limit\_req\_status 429;
...
server {
...
limit\_req zone=limitbyaddr burst=10 nodelay;
...
}
}
实例中,创建了一个 10 M 存储空间的名为 limitbyaddr 的共享内存,并使用
二进制的客户端 IP 地址作为键名。limit_req_zone 还设置了访问速度。
limit_req 指令主要包含两个可选参数:zone 和 burst。zone 参数值即为
limit_req_zone 指令中 zone 参数定义的存储空间名。当用户请求超出限速
设置时,超出的请求将会存储至 burst 定义的缓冲区,直至也超出请求限速缓冲
速率,这是将响应 429 状态码给客户端。burst 参数默认值为 0。此外,limit_req
还有第三个参数 nodelay:它的功能是提供瞬时处理 rate + burst 个请求的能力。
limit_req_status 参数用于设置超出速率请求响应给客户端的状态码,默认是 503,
示例中设置为 429。limit_req_status 和 limit_req 指令适用于 HTTP、server 和
location 上下文。limit_req_zone 指令仅能在 HTTP 上下文中使用。
Discussion
The rate-limiting module is very powerful in protecting against abu‐
sive rapid requests while still providing a quality service to every‐
one. There are many reasons to limit rate of request, one being
security. You can deny a brute force attack by putting a very strict
limit on your login page. You can disable the plans of malicious
users that might try to deny service to your application or to waste
resources by setting a sane limit on all requests. The configuration
of the rate-limit module is much like the preceding connectionlimiting module described in Recipe 12.1, and much of the same
concerns apply. The rate at which requests are limited can be done
in requests per second or requests per minute. When the rate limit is
hit, the incident is logged. There’s a directive not in the example:
limit_req_log_level, which defaults to error, but can be set to
info, notice, or warn.
结论
rate-limiting 模块在项目中非常有用,通过防止瞬间爆发的请求,为每个用户
提供高质量的服务。使用限速模块有诸多理由,其一是处于安全方面考虑。如在登录
页面设置严格的限速控制,拒绝暴力攻击。如果没有依据用户实现限速功能,可能
会导致其他用户无法使用服务或浪费了服务器资源。rate-limiting 模块有点类似
上一章节中讲解的限制连接模块。限速设置可以依据每秒限速,也可依据每分钟进行
限速。当用户请求满足限速条件时,请求将被记入日志中。另外,还有一条指令没有
在示例中给出:limit_req_log_level 指令设置限速日志级别,它默认值为 error
级别,您还可以设置为 info、notice 或 warn 级别。
参考资料
[Nginx下limit_req模块burst参数超详细解析](http://blog.csdn.net/hellow__world/article/details/78658041\