Nginx的請求限制_請求連線頻率限制配置語法與原理
Nginx的請求限制_請求連線頻率限制配置語法與原理
1、HTTP協議的連線與請求原理
(1)HTTP請求建立在TCP連線請求之上
- HTTP請求建立在TCP連線請求之上,TCP連線的三次握手完成才開始HTTP請求;
- 一次TCP請求至少產生一次HTTP請求;
(2)TCP三次握手
第一次
第一次握手:建立連線時,客戶端傳送syn包(syn=j)到伺服器,並進入SYN_SENT狀態,等待伺服器確認;
第二次握手:伺服器收到syn包,必須確認客戶的SYN(ack=j+1),同時自己也傳送一個SYN包(syn=k),即SYN+ACK包,此時伺服器進入SYN_RECV狀態;
第三次握手:客戶端收到服務器的SYN+ACK包,向伺服器傳送確認包ACK(ack
完成三次握手,客戶端與伺服器開始傳送資料,在上述過程中,還有一些重要的概念:
(3)TCP幾個狀態標識位
SYN表示建立連線,
FIN表示關閉連線,
ACK表示響應,
PSH
RST表示連線重置。
位碼即tcp標誌位,有6種標示:
- SYN(synchronous建立聯機)
- ACK(acknowledgement 確認)
- PSH(push傳送)
- FIN(finish結束)
- RST(reset重置)
- URG(urgent緊急)
- Sequence number(順序號碼)
- Acknowledge number(確認號碼)
(4)HTTP版本差異
2、http_limit_conn_module詳解
http_limit_conn_module:http請求連線頻率限制
官網解釋:
The ngx_http_limit_conn_module module is used to limit the number of connections per the defined key, in particular, the number of connections from a single IP address.
Not all connections are counted. A connection is counted only if it has a request being processed by the server and the whole request header has already been read.
3、limit_conn語法
(1)limit_conn語法
| Syntax: | limit_conn |
|---|---|
| Default: | — |
| Context: | http, server, location |
語法解釋:
limit_conn zone number;
zone 表示儲存在共享記憶體中的key
number 表示限制的連線數
Sets the shared memory zone and the maximum allowed number of connections for a given key value. When this limit is exceeded, the server will return the error in reply to a request. For example, the directives
limit_conn_zone $binary_remote_addr zone=addr:10m;
server { location /download/ { limit_conn addr 1; }
allow only one connection per an IP address at a time.
In HTTP/2 and SPDY, each concurrent request is considered a separate connection.
There could be several limit_conn directives. For example, the following configuration will limit the number of connections to the server per a client IP and, at the same time, the total number of connections to the virtual server:
limit_conn_zone $binary_remote_addr zone=perip:10m;limit_conn_zone $server_name zone=perserver:10m;
server { ... limit_conn perip 10; limit_conn perserver 100;}(2)limit_conn_log_level語法
These directives are inherited from the previous level if and only if there are no limit_conn directives on the current level.
| Syntax: |
limit_conn_log_level info | notice | warn | error; |
| Default: |
limit_conn_log_level error; |
| Context: |
http,server,location |
This directive appeared in version 0.8.18.
語法解釋:
limit_conn_log_level error;表示為伺服器限制連線數的情況設定所需的日誌記錄級別。
Sets the desired logging level for cases when the server limits the number of connections.
(3)limit_conn_status語法
| Syntax: |
limit_conn_status code; |
| Default: |
limit_conn_status 503; |
| Context: |
http,server,location |
This directive appeared in version 1.3.15.
語法解釋:
limit_conn_status code;表示設定響應狀態碼
Sets the status code to return in response to rejected requests.
(4)limit_conn_zone語法
| Syntax: |
limit_conn_zone key zone=name:size; |
| Default: |
— |
| Context: |
http |
語法解釋:
sets parameters for a shared memory zone that will keep states for various keys. In particular, the state includes the current number of connections. The key can contain text, variables, and their combination. Requests with an empty key value are not accounted.
Prior to version 1.7.6, a key could contain exactly one variable.
Usage example:
limit_conn_zone $binary_remote_addr zone=addr:10m;
使用解釋:
Here, a client IP address serves as a key. Note that instead of $remote_addr, the $binary_remote_addr variable is used here. The $remote_addr variable’s size can vary from 7 to 15 bytes. The stored state occupies either 32 or 64 bytes of memory on 32-bit platforms and always 64 bytes on 64-bit platforms. The $binary_remote_addr variable’s size is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses. The stored state always occupies 32 or 64 bytes on 32-bit platforms and 64 bytes on 64-bit platforms. One megabyte zone can keep about 32 thousand 32-byte states or about 16 thousand 64-byte states. If the zone storage is exhausted, the server will return the error to all further requests.
(5)limit_zone語法remove
| Syntax: |
limit_zone name $variable size; |
| Default: |
— |
| Context: |
http |
語法解釋:
This directive was made obsolete in version 1.1.8 and was removed in version 1.7.6. An equivalent limit_conn_zone directive with a changed syntax should be used instead:
limit_conn_zone $variable zone=name:size;
3、limit_conn_zone配置
注意:這裡location要配置動態接口才能壓測出限制連線數limit_conn,如果location配置成靜態資源,很難測試出來,因為Nginx訪問靜態資源的效率很高。
4、驗證limit_conn配置是否生效
使用ab測試工具進行壓測,2個successed,18個failed
因為limit_conn=1,所以大量的請求被limit
