webapi限流框架WebApiThrottle

为了防止网站意外暴增的流量比如活动、秒杀、攻击等，导致整个系统瘫痪，在前后端接口服务处进行流量限制是非常有必要的。本篇主要介绍下Net限流框架WebApiThrottle的使用。

WebApiThrottle是一个专门为webApi限制请求频率而设计的，支持寄宿OWIN上的中间件的限制过滤。服务端接口可以基于客户端请求IP地址、客户端请求key、及请求路由去限制webapi接口的访问频率。

下面的代码是限制来自同IP请求的最大次数。如果在一分钟内，同样IP的客户端分别调用api/values和api/values/1两个接口， 那么调用api/values/1的请求会被拒绝掉。

IP和客户端key自定义限制频率

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        config.MessageHandlers.Add(new ThrottlingHandler()
        {
            Policy = new ThrottlePolicy(perSecond: 1, perMinute: 20, perHour: 200, perDay: 1500, perWeek: 3000)
            {
                IpThrottling = true
            },
            Repository = new CacheRepository()
        });
    }
}

config.MessageHandlers.Add(new ThrottlingHandler()
{
    Policy = new ThrottlePolicy(perSecond: 1, perMinute: 20, perHour: 200, perDay: 1500)
    {
        IpThrottling = true,
        IpRules = new Dictionary<string, RateLimits>
        { 
            { "192.168.1.1", new RateLimits { PerSecond = 2 } },
            { "192.168.2.0/24", new RateLimits { PerMinute = 30, PerHour = 30*60, PerDay = 30*60*24 } }
        },

        ClientThrottling = true,
        ClientRules = new Dictionary<string, RateLimits>
        { 
            { "api-client-key-1", new RateLimits { PerMinute = 40, PerHour = 400 } },
            { "api-client-key-9", new RateLimits { PerDay = 2000 } }
        }
    },
    Repository = new CacheRepository()
});

 

 

用ThrottlingFilter、EnableThrottlingAttribute特性配置限制频率

EnableThrottling与ThrottlingHandler是一个二选一的策略配置方案，二者会做同样的事情，但ThrottlingHandler可以通过EnableThrottlingAttribute特性指定某个webapi的controllers和actions去自定义频率限制。需要注意的是，在webapi请求管道中，ThrottlingHandler是在controller前面执行，因此在你不需要ThrottlingFilter提供的功能时，可以用ThrottlingHandler去直接替代它。

设置ThrottlingFilter过滤器的步骤，跟ThrottlingHandler类似

 public static class WebApiConfig
    { 
        public static void Register(HttpConfiguration config)
        {
            // Web API 配置和服务
      

            config.SuppressDefaultHostAuthentication();

           
            config.Filters.Add(new CustomerThrottlingFilter()
            {
                Policy = new ThrottlePolicy(perMinute: 15)
                {
                    //scope to IPs
                    IpThrottling = false,

                    //scope to clients (if IP throttling is applied then the scope becomes a combination of IP and client key)
                    ClientThrottling = true,

                    //white list API keys that don’t require throttling
                    ClientWhitelist = new List<string> { "admin-ll" },

                    //Endpoint rate limits will be loaded from EnableThrottling attribute
                    EndpointThrottling = true
                }
            });

 

        }
    }

获取API的客户端key

默认情况下，WebApiThrottle的ThrottlingHandler(限流处理器)会从客户端请求head里通过Authorization-Token key取值。如果你的API key存储在不同的地方，你可以重写ThrottlingHandler.SetIndentity方法，指定你自己的取值策略。

public class CustomThrottlingHandler : ThrottlingHandler
{
    protected override RequestIdentity SetIndentity(HttpRequestMessage request)
    {
        return new RequestIdentity()
        {
            ClientKey = request.Headers.Contains("Authorization-Key") ? request.Headers.GetValues("Authorization-Key").First() : "anon",
            ClientIp = base.GetClientIp(request).ToString(),
            Endpoint = request.RequestUri.AbsolutePath.ToLowerInvariant()
        };
    }
}