目标:通过对nginx.conf文件的配置,对某些ip进行并发限制
解决方案:
采用nginx内置的limit_conn_zone模块
1.当没有进行任何限制时
nginx.conf配置文件内容如下:
user www www; worker_processes 2; #设置值和CPU核心数一致 error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志级别 pid /usr/local/webserver/nginx/nginx.pid; #Specifies the value for maximum file descriptors that can be opened by this process. worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $http_x_forwarded_for'; #charset gb2312; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 8m; sendfile on; tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on; #limit_zone crawler $binary_remote_addr 10m; #下面是server虚拟主机的配置 server { listen 80;#监听端口 server_name localhost;#域名 index index.html index.htm index.php; root /usr/local/webserver/nginx/html;#站点目录 location ~ .*.(php|php5)?$ { #fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi.conf; } location ~ .*.(gif|jpg|jpeg|png|bmp|swf|ico)$ { expires 30d; # access_log off; } location ~ .*.(js|css)?$ { expires 15d; # access_log off; } access_log off; } }
采用ab进行压力测试:
Failed requests:0
2.对某些IP进行并发限制
http {
#geot和map两段用于处理限速白名单,map段映射名单到$limit,处于geo内的IP将被映射为空值,否则为其IP地址。
#limit_conn_zone指令对于键为空值的将会被忽略,从而实现对于列出来的IP不做限制
geo $whiteiplist {
default 1;
127.0.0.1 0;
121.199.16.249 0;
}
map $whiteiplist $limit {
1 $binary_remote_addr;
0 "";
}
#limit_conn_zone定义每个IP的并发连接数量
#设置一个缓存区保存不同key的状态,大小10m。使用$limit来作为key,以此限制每个源IP的链接数
limit_conn_zone $limit zone=perip:10m;
#限制每IP的请求并发数量为5个
limit_conn perip 5;
}如果某个ip不需要进行限制,则只需要将该ip对应的值置为0
如果某个ip需要进行限制,则只需要将该ip对应的值置为1
default默认ip对应的值可以是1,也可以是0
geo $whiteiplist {
xxx.xxx.xxx.xxx 0;
yyy.yyy.yyy.yyy 1;
default 1;
}
geo指令定义一个白名单whiteiplist,默认值为1,所有都受限制。如果客户端IP与白名单列出的IP相匹配,则whiteiplist值为0也就是不受限制。
map指令是将whiteiplist值为1的,也就是受限制的IP,映射为客户端IP。将whiteiplist值为0的,也就是白名单IP,映射为空的字符串。
limit_conn_zone指令对于键为空值的将会被忽略,从而实现对于列出来的IP不做限制。
1.对所有ip进行并发限制
nginx.conf配置文件如下:
user www www; worker_processes 2; #设置值和CPU核心数一致 error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志级别 pid /usr/local/webserver/nginx/nginx.pid; #Specifies the value for maximum file descriptors that can be opened by this process. worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $http_x_forwarded_for'; #charset gb2312; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 8m; sendfile on; tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on; geo $whiteiplist { default 1; } map $whiteiplist $limit { $binary_remote_addr; ""; } limit_conn_zone $limit zone=perip:10m; limit_conn perip 50; #下面是server虚拟主机的配置 server { listen 80;#监听端口 server_name localhost;#域名 index index.html index.htm index.php; root /usr/local/webserver/nginx/html;#站点目录 location ~ .*.(php|php5)?$ { #fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi.conf; } location ~ .*.(gif|jpg|jpeg|png|bmp|swf|ico)$ { expires 30d; # access_log off; } location ~ .*.(js|css)?$ { expires 15d; # access_log off; } access_log off; } }
采用ab进行压力测试结果如下:
Failed requests:352
2.测试白名单是否生效
nginx.conf文件内容如下:
user www www; worker_processes 2; #设置值和CPU核心数一致 error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志级别 pid /usr/local/webserver/nginx/nginx.pid; #Specifies the value for maximum file descriptors that can be opened by this process. worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $http_x_forwarded_for'; #charset gb2312; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 8m; sendfile on; tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on; geo $whiteiplist { 47.93.39.164 0; default 1; } map $whiteiplist $limit { 1 $binary_remote_addr; 0 ""; } limit_conn_zone $limit zone=perip:10m; limit_conn perip 50; #下面是server虚拟主机的配置 server { listen 80;#监听端口 server_name localhost;#域名 index index.html index.htm index.php; root /usr/local/webserver/nginx/html;#站点目录 location ~ .*.(php|php5)?$ { #fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi.conf; } location ~ .*.(gif|jpg|jpeg|png|bmp|swf|ico)$ { expires 30d; # access_log off; } location ~ .*.(js|css)?$ { expires 15d; # access_log off; } access_log off; } }
采用ab进行压力测试结果如下:
Failed requests:0
说明:也可以更改白名单内ip对应的值,使得其变成一个黑名单
每次更改完nginx.conf配置文件之后都要使用命令来检查文件的正确性,然后重新加载文件,这样更改才会生效
相关命令:
查看配置文件是否正确 /usr/local/webserver/nginx/sbin/nginx –t 重新载入配置文件 /usr/local/webserver/nginx/sbin/nginx -s reload 重启nginx /usr/local/webserver/nginx/sbin/nginx -s reopen 停止nginx /usr/local/webserver/nginx/sbin/nginx -s stop 启动nginx /usr/local/webserver/nginx/sbin/nginx
参考:
https://www.runoob.com/linux/nginx-install-setup.html
https://www.cnblogs.com/kevingrace/p/6165572.html
https://blog.csdn.net/qq_25934401/article/details/82802075