Nginx provides us with a request limiting module (ngx_http_limit_req_module) and a traffic limiting module (ngx_stream_limit_conn_module) based on token bucket algorithm, which can easily control the token rate, customize the current limiting, and realize basic current limiting control.
This module has been merged into the mainline version without additional compilation and addition
1. Limit traffic per user (concurrency limit)
The function of Nginx concurrency restriction comes fromngx_http_limit_conn_moduleModule
Module documentation:Module ngx_http_limit_conn_module
limit_conn_zoneIt can only be configured within the http range, and multiple entries can be configured at the same time and are referenced by different ones;
$binary_remote_addrIndicates the IP address requested by the client;
oneThe variable name (buffer) you define yourself;
sizeSet to 1m, about 16,000 IP addresses (see the documentation for details)
limit_rateLimit transmission speed
limit_connandlimit_conn_zoneCorrespondingly, limit the number of network connections
1. Add configuration instructions to http body
http
{
limit_conn_zone $binary_remote_addr zone=one:1m; # Speed limit definition}2. Add speed limit to server body to achieve
server{
limit_conn one 1; #Limit only one concurrent connection per ip limit_rate 256k; #Limit the limit speed of each connection to 256K, IP download speed is the number of connections*limit the speed}Note: In order to reduce the back end pressure, it is OK to be normal at the interface layer.
2. Limit the number of accesses for each IP limited time (request limit)
The function of request restriction comes fromngx_http_limit_req_moduleModule
Module documentation:Module ngx_http_limit_req_module
limit_req_zoneOnly configured within the http range;
$binary_remote_addrIndicates the IP address requested by the client;
mylimitThe variable name you define yourself;
sizeSet to 1m, about 16,000 IP addresses (see the documentation for details)
rateRequest frequency, how many requests are allowed per second;
limit_reqandlimit_req_zoneCorresponding
burstIt is to configure excess processing, which can be simply understood as a queue mechanism, so that extra requests can be placed in the queue first. If the nodelay parameter is not added, the requests in the queue will not be processed immediately, but will be processed slowly at a millisecond-level accurate speed according to the rate set speed.
nodelay The parameter allows the request to be processed immediately when queued, which means that as long as the request can enter the burst queue, it will be processed immediately by the background worker. Please note that this means that when the burst is set to nodelay, the instantaneous request of the system may exceed the threshold set by the rate. The nodelay parameter must be used with burst to be effective
1. Add configuration instructions to http body
http
{
limit_req_zone $binary_remote_addr zone=mylimit:1m rate=5r/s; #Personal definition}2. Add speed limit to server body to achieve
server{
limit_req zone=mylimit burst=100 nodelay; #Personal number of people implemented}III. Explanation
1. Overall limit is to implement speed limit at the entrance of the sever layer
2. Restrict the number of interface accesses and place it in the interface configuration
refer to:
http request
http {
include ;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#log_format remote_main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for" "$request_time" "$upstream_response_time" "$upstream_addr" "$upstream_status"';
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_time" "$upstream_response_time" "$upstream_addr" "$upstream_status"';
access_log logs/ main;
sendfile on;
#tcp_nopush on;
proxy_buffers 16 1024k;
proxy_buffer_size 1024k;
gzip on;
keepalive_timeout 180s;
proxy_connect_timeout 180s;
proxy_send_timeout 180s;
proxy_read_timeout 180s;
server_tokens off;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Frame-Options ALLOW-FROM ':80';
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
client_max_body_size 32M;
client_body_buffer_size 256k;
client_header_buffer_size 32k;
large_client_header_buffers 4 8k;
absolute_redirect off;
server_name_in_redirect off;
port_in_redirect off;
### vts
vhost_traffic_status_zone;
vhost_traffic_status_filter_by_host on;
# limit_req_zone $binary_remote_addr zone=test:10m rate=3r/s;
include /opt/nginx/conf//*.conf;
#limit_conn_zone $binary_remote_addr zone=one:1m; # Speed limit definition #limit_req_zone $binary_remote_addr zone=mylimit:1m rate=5r/s; #limit number of people definition}Server layer configuration
server {
listen 80;
listen 1023;
listen 443 ssl;
# limit_req zone=test burst=20 nodelay;
#limit_conn_zone $binary_remote_addr zone=one:10m;
#limit_conn one 2; #restrict each IP to initiate only one concurrent connection #limit_rate 256k; #Limit the limit speed of each connection to 256k, and the IP download speed is the number of connections*Limit the speed
charset utf-8;
# server_name 117.60.146.37;
server_name 117.60.146.37 11.1.8.24;
index ;
ssl_certificate /opt/nginx/conf/cert/_.;
ssl_certificate_key /opt/nginx/conf/cert/_.;
ssl_session_timeout 5m;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Compression Function gzip_static on;
gzip on;
gzip_buffers 32 4K;
gzip_comp_level 6;
gzip_min_length 100;
gzip_http_version 1.0;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png application/javascript;
gzip_disable "MSIE [1-6]\."; #Configure disable gzip conditions and support regularity. Here it means that gzip is not enabled for ie6 and below (because ie low version does not support it) gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# Test Chinese # The maximum request body is 5M client_max_body_size 5m;
# Redirect the root directory to /main directly location ~ ^/$ {
return 301 /main/;
}
location /main {
root /usr/share/nginx/html;
index ;
try_files $uri $uri/ /main/;
}
location / {
if ($request_filename ~* .*\.(?:htm|html)$) ## ÅäÖÃÒ³Ãæ²»»º´æhtmlºÍhtm½áβµÄÎļþ
{
add_header Cache-Control "no-cache";
add_header Access-Control-Allow-Origin *;
}
root /usr/share/nginx/html/subapp;
index ;
try_files $uri $uri/ /;
add_header Access-Control-Allow-Origin *;
}
location /thirdApp{
alias /usr/share/nginx/html/thirdApp;
}
location /cdn {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
alias /usr/share/nginx/html/cdn;
add_header Cache-Control max-age=31536000;
}
location ^~ /api/ {
# proxy_set_header Host $host;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr; #¿¿¿¿¿¿¿IP
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://api/;
#speed limit implementation control at the interface layer # limit_conn one 1; #Limit_conn one 1; #Limit only one concurrent connection per ip # limit_rate 10k; #Limit the limit speed of each connection to 256K, IP download speed is the number of connections*limit speed #Personal number of people implemented # limit_req zone=mylimit burst=100 nodelay;
}
}
}This is the article about the use of several solutions for Nginx current limit configuration. For more information about Nginx current limit configuration, please search for my previous articles or continue browsing the following related articles. I hope everyone will support me in the future!