Nginx tcp限制并发、IP、记日志

L:114

 

Syntax:	limit_conn_zone key zone=name:size;//类似http limit_conn 需要开个共享内存  zone=name(共享内存名称):size(共享内存大小)；
Default:	—
Context:	stream

limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
    ...
    limit_conn addr 1;
}

Syntax:	limit_conn_log_level info | notice | warn | error;
Default:	limit_conn_log_level error;
Context:	stream, server

Syntax:limit_conn zone number; //上面配置的zone名称 限制并发连接数量 
Default:—

Context:stream, server

类似http access访问阶段

Syntax:	allow address | CIDR | unix: | all; 通过设置允许的ip地址
Default:	—
Context:	stream, server

Syntax:	deny address | CIDR | unix: | all; 不允许
Default:	—
Context:	stream, server

server {
    ...
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}

log阶段:stream_log模块

Syntax:	access_log path format [buffer=size] [gzip[=level]] [flush=time] [if=condition]; access_log off;
Default:	access_log off;
Context:	stream, server

Syntax:	log_format name [escape=default|json|none] string ...;
Default:	—
Context:	stream

log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

Syntax:	open_log_file_cache max=N [inactive=time] [min_uses=N] [valid=time]; open_log_file_cache off;
Default:	open_log_file_cache off;
Context:	stream, server

nginx.conf指令演示

server {
                listen 10004 proxy_protocol; #这里开启了协议
        set_real_ip_from 192.168.0.51;
                allow 202.112.144.236; #通过protocol协议 允许该ip访问
                deny all; #禁用所有IP
                return '10004 vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
realip_remote_addr: $realip_remote_addr
realip_remote_port: $realip_remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status: $status
protocol: $protocol
';
        }

[root@3 conf]# telnet 192.168.0.51 10004
Trying 192.168.0.51...
Connected to 192.168.0.51.
Escape character is '^]'.
PROXY TCP4 202.112.144.236 10.210.12.10 5678 80
 //这里输入了202.112.144.236地址表示 这样就允许访问了
10004 vars:
bytes_received: 0
bytes_sent: 0
proxy_protocol_addr: 202.112.144.236 //查看返回结果 
proxy_protocol_port: 5678
remote_addr: 202.112.144.236
remote_port: 5678
realip_remote_addr: 192.168.0.51
realip_remote_port: 49256
server_addr: 192.168.0.51
server_port: 10004
session_time: 2.452
status: 000
protocol: TCP
Connection closed by foreign host.