Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”.

A few days ago, there was a problem in the company’s statistics: there was a big deviation between the data of our own statistical module and the data of the third party — the company’s statistical magnitude was unusually large. We suspect that someone directly took the reporting interface to brush, if the server performance can not be in the past, the data is not good, but in case of large brush, down the server, this is a typical ddos ah. So we put it on the agenda.

I have chosen to limit traffic from a single IP address, as described in the title, through the ngx_http_limit_req_module/ngx_http_limit_conn_module of the Nginx server. Overflow requests are filtered out directly at the NGINx layer.

Ngx_http_limit_req_module module

The function of this module is to limit the access rate of a single IP address per second. The main syntax is:

Limit_req_zone key Zone rate key: defines traffic limiting objects. $binary_remote_ADDR is a key that limits traffic based on remote_ADDR (client IP address). Binary_ is used to reduce memory usage. Zone: defines a shared memory area to store access information. MyRateLimit :10m Indicates a memory area with a size of 10m and a name of myRateLimit. One meter can store information about 16,000 IP addresses, and 10 meters can store information about 16W IP addresses. Rate: Sets the maximum access rate. Rate =10r/s indicates that a maximum of 10 requests can be processed per second. Nginx actually tracks request information on a millisecond granularity, so 10r/s is actually a limit: one request every 100 milliseconds. This means that if another request arrives within 100 milliseconds after the last request was processed, it will be rejected.Copy the code

Nginx.conf (HTTP) : nginx.conf (HTTP) : nginx.conf (HTTP) : nginx.conf (HTTP) : nginx.conf

limit_req_zone $binary_remote_addr  zone=mylimit:10m rate=2r/s;
Copy the code

Define a shared memory area called mylimit. This area is about 10 MB and can hold about 16w IP addresses. The IP access rate should not exceed 2 times per second.

We have defined the shared memory area, and how to use it. We have defined the shared memory area and how to use it.

Limit_req zone= zone_name (burst=n nodely) Zone_name: name of the shared memory area defined in HTTP burst: The number of additional requests that can be processed after the set processing rate is exceeded. This parameter is equivalent to a leaky bucket (explained later), which is transmitted in real time until a burst of traffic enters the bucket. =n indicates the maximum number of requests that can be stored in the bucket. Nodely: indicates that requests that leak in the bucket will be processed immediately without delay. However, even if the 20 unexpected requests are processed immediately, subsequent requests will not be processed immediately. Burst =20 is equivalent to 20 holes in the cache queue, which can only be released in 100ms each, even if the request is processed. In this way, the rate is stable, but the sudden flow can be handled normally.Copy the code

Once the shared memory area is defined, we can implement this rule in the project server:

limit_req zone=mylimit burst=5 nodely
Copy the code

After the setup is complete, we restart the nginx server to enforce the latest rule: each IP user accesses a maximum of 2+7 requests per second

Limits_req_status XXX limitS_req_status 504 (placed under the server of a single project) The status code returned after the overflow is 504.

Here I use a case of a blogger buying up a project

limit_req_zone $server_name zone=sname:10m rate=1r/s; Server {listen 80; server_name www.abc.com; location / { include host/proxy.cnf; proxy_pass http://backend; } location /api/createOrder { limit_req zone=sname; Limit_req_status 503; #limit_req zone=sname Burst =5 nodelay; Include host/proxy.cnf; proxy_pass http://backend; error_page 503 =200 /50x.html; Error status code 503 Is 200} when you return to the location = / 50 x) HTML {the if ($http_user_agent ~ * "mobile | android | the | the | ios | ios") {# default_type application/json; Return 200 '{" MSG ": "activity is too hot, please try again later!" ,"data": {},"code": -1}'; # set mobile to return error message display} root HTML; Return an HTML page if it is on PC}}Copy the code

Error_page 403 = 200/50x.html; error_page 403 = 200/50x.html; error_page 403 = 200/50x.html; error_page 403 = 200/50x.html; Set the status code to 200

Case reference: gist.github.com/simlegate/7…

Ngx_http_limit_conn_module module

The function of this module is to limit the number of concurrent connections to a single IP address. The main syntax is:

Limit_conn_zone $binARY_REMOTE_ADDR zone= zone_NAMe1 :10m // Definition

Limit_conn_zone $Server_name zone=zone_name2:10m // Definition

server{

Limit_conn perIP 20 // Use: The corresponding key is $binary_remote_addr, which indicates that a single IP address can hold up to 20 connections at the same time.

Limit_conn perServer 100 // Use: The corresponding key is $server_name, indicating the number of concurrent connections that the virtual host can process at the same time. Note that this connection is counted only after the Request header has been processed by the back-end server.

}