Nginx配置-对某些ip进行并发限制

目标:通过对nginx.conf文件的配置,对某些ip进行并发限制

解决方案:

采用nginx内置的limit_conn_zone模块

1.当没有进行任何限制时

nginx.conf配置文件内容如下:

user www www;
worker_processes 2; #设置值和CPU核心数一致
error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志级别
pid /usr/local/webserver/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;
events
{
  use epoll;
  worker_connections 65535;
}
http
{
  include mime.types;
  default_type application/octet-stream;
  log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for';

#charset gb2312;

  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;

  sendfile on;
  tcp_nopush on;
  keepalive_timeout 60;
  tcp_nodelay on;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  #limit_zone crawler $binary_remote_addr 10m;
 #下面是server虚拟主机的配置
 server
  {
    listen 80;#监听端口
    server_name localhost;#域名
    index index.html index.htm index.php;
    root /usr/local/webserver/nginx/html;#站点目录
      location ~ .*\.(php|php5)?$
    {
      #fastcgi_pass unix:/tmp/php-cgi.sock;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$
    {
      expires 30d;
  # access_log off;
    }
    location ~ .*\.(js|css)?$
    {
      expires 15d;
   # access_log off;
    }
    access_log off;
  }

}
View Code

采用ab进行压力测试:

image

Failed requests:0

2.对某些IP进行并发限制

http {

     #geot和map两段用于处理限速白名单,map段映射名单到$limit,处于geo内的IP将被映射为空值,否则为其IP地址。
     #limit_conn_zone指令对于键为空值的将会被忽略,从而实现对于列出来的IP不做限制
     geo $whiteiplist  {
        default 1;
        127.0.0.1 0;
        121.199.16.249 0;
     }
     map $whiteiplist  $limit {
        1 $binary_remote_addr;
        0 "";
     }

     #limit_conn_zone定义每个IP的并发连接数量
     #设置一个缓存区保存不同key的状态,大小10m。使用$limit来作为key,以此限制每个源IP的链接数
     limit_conn_zone $limit  zone=perip:10m;

     #限制每IP的请求并发数量为5个
     limit_conn perip 5;

}

如果某个ip不需要进行限制,则只需要将该ip对应的值置为0

如果某个ip需要进行限制,则只需要将该ip对应的值置为1

default默认ip对应的值可以是1,也可以是0

geo $whiteiplist {

  xxx.xxx.xxx.xxx 0;

 yyy.yyy.yyy.yyy 1;

default 1;

}

geo指令定义一个白名单whiteiplist,默认值为1,所有都受限制。如果客户端IP与白名单列出的IP相匹配,则whiteiplist值为0也就是不受限制。

map指令是将whiteiplist值为1的,也就是受限制的IP,映射为客户端IP。将whiteiplist值为0的,也就是白名单IP,映射为空的字符串。

limit_conn_zone指令对于键为空值的将会被忽略,从而实现对于列出来的IP不做限制。

1.对所有ip进行并发限制

nginx.conf配置文件如下:

user www www;
worker_processes 2; #设置值和CPU核心数一致
error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志级别
pid /usr/local/webserver/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;
events
{
  use epoll;
  worker_connections 65535;
}
http
{
  include mime.types;
  default_type application/octet-stream;
  log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for';

#charset gb2312;

  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;

  sendfile on;
  tcp_nopush on;
  keepalive_timeout 60;
  tcp_nodelay on;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  geo $whiteiplist
  {
    default 1;
  }

  map $whiteiplist $limit
  {
$binary_remote_addr;
"";
  }

  limit_conn_zone $limit  zone=perip:10m;
  limit_conn  perip  50;

 #下面是server虚拟主机的配置
 server
  {
    listen 80;#监听端口
    server_name localhost;#域名
    index index.html index.htm index.php;
    root /usr/local/webserver/nginx/html;#站点目录
      location ~ .*\.(php|php5)?$
    {
      #fastcgi_pass unix:/tmp/php-cgi.sock;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$
    {
      expires 30d;
  # access_log off;
    }
    location ~ .*\.(js|css)?$
    {
      expires 15d;
   # access_log off;
    }
    access_log off;
  }

}
View Code

采用ab进行压力测试结果如下:

image

Failed requests:352

2.测试白名单是否生效

nginx.conf文件内容如下:

user www www;
worker_processes 2; #设置值和CPU核心数一致
error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志级别
pid /usr/local/webserver/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;
events
{
  use epoll;
  worker_connections 65535;
}
http
{
  include mime.types;
  default_type application/octet-stream;
  log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for';

#charset gb2312;

  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;

  sendfile on;
  tcp_nopush on;
  keepalive_timeout 60;
  tcp_nodelay on;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  geo $whiteiplist
  {
    47.93.39.164 0;
    default 1;
  }

  map $whiteiplist $limit
  {
    1 $binary_remote_addr;
    0 "";
  }

  limit_conn_zone $limit  zone=perip:10m;
  limit_conn  perip  50;

 #下面是server虚拟主机的配置
 server
  {
    listen 80;#监听端口
    server_name localhost;#域名
    index index.html index.htm index.php;
    root /usr/local/webserver/nginx/html;#站点目录
      location ~ .*\.(php|php5)?$
    {
      #fastcgi_pass unix:/tmp/php-cgi.sock;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$
    {
      expires 30d;
  # access_log off;
    }
    location ~ .*\.(js|css)?$
    {
      expires 15d;
   # access_log off;
    }
    access_log off;
  }

}
View Code

采用ab进行压力测试结果如下:

image

Failed requests:0

说明:也可以更改白名单内ip对应的值,使得其变成一个黑名单

每次更改完nginx.conf配置文件之后都要使用命令来检查文件的正确性,然后重新加载文件,这样更改才会生效

相关命令:

查看配置文件是否正确
/usr/local/webserver/nginx/sbin/nginx –t

重新载入配置文件
/usr/local/webserver/nginx/sbin/nginx -s reload

重启nginx
/usr/local/webserver/nginx/sbin/nginx -s reopen

停止nginx
/usr/local/webserver/nginx/sbin/nginx -s stop

启动nginx
/usr/local/webserver/nginx/sbin/nginx

View Code

image

参考:

https://www.runoob.com/linux/nginx-install-setup.html

https://www.cnblogs.com/kevingrace/p/6165572.html

https://blog.csdn.net/qq_25934401/article/details/82802075

http://zhangguangzhi.top/2017/11/10/nginx%E9%99%90%E5%88%B6ip%E5%B9%B6%E5%8F%91%E8%BF%9E%E6%8E%A5%E6%95%B0%E4%BB%A5%E5%8F%8A%E6%AF%8F%E7%A7%92%E5%A4%84%E7%90%86%E8%AF%B7%E6%B1%82%E6%95%B0/



posted @ 2020-03-23 17:09  西*风  阅读(1249)  评论(0编辑  收藏  举报