Nginx配置-對某些ip進行並發限制

目標：通過對nginx.conf文件的配置，對某些ip進行並發限制

解決方案：

采用nginx內置的limit_conn_zone模塊

1.當沒有進行任何限制時

nginx.conf配置文件內容如下：

user www www;
worker_processes 2; #設置值和CPU核心數一致
error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志級別
pid /usr/local/webserver/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;
events
{
  use epoll;
  worker_connections 65535;
}
http
{
  include mime.types;
  default_type application/octet-stream;
  log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for';

#charset gb2312;

  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;

  sendfile on;
  tcp_nopush on;
  keepalive_timeout 60;
  tcp_nodelay on;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  #limit_zone crawler $binary_remote_addr 10m;
 #下面是server虛擬主機的配置
 server
  {
    listen 80;#監聽端口
    server_name localhost;#域名
    index index.html index.htm index.php;
    root /usr/local/webserver/nginx/html;#站點目錄
      location ~ .*\.(php|php5)?$
    {
      #fastcgi_pass unix:/tmp/php-cgi.sock;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$
    {
      expires 30d;
  # access_log off;
    }
    location ~ .*\.(js|css)?$
    {
      expires 15d;
   # access_log off;
    }
    access_log off;
  }

}

采用ab進行壓力測試：

Failed requests：0

2.對某些IP進行並發限制

http {

     #geot和map兩段用於處理限速白名單，map段映射名單到$limit，處於geo內的IP將被映射為空值，否則為其IP地址。
     #limit_conn_zone指令對於鍵為空值的將會被忽略，從而實現對於列出來的IP不做限制
     geo $whiteiplist  {
        default 1;
        127.0.0.1 0;
        121.199.16.249 0;
     }
     map $whiteiplist  $limit {
        1 $binary_remote_addr;
        0 "";
     }

     #limit_conn_zone定義每個IP的並發連接數量
     #設置一個緩存區保存不同key的狀態，大小10m。使用$limit來作為key，以此限制每個源IP的鏈接數
     limit_conn_zone $limit  zone=perip:10m;

     #限制每IP的請求並發數量為5個
     limit_conn perip 5;

}

如果某個ip不需要進行限制，則只需要將該ip對應的值置為0

如果某個ip需要進行限制，則只需要將該ip對應的值置為1

default默認ip對應的值可以是1，也可以是0

geo $whiteiplist {

  xxx.xxx.xxx.xxx 0;

 yyy.yyy.yyy.yyy 1;

default 1;

}

geo指令定義一個白名單whiteiplist,默認值為1,所有都受限制。如果客戶端IP與白名單列出的IP相匹配，則whiteiplist值為0也就是不受限制。

map指令是將whiteiplist值為1的，也就是受限制的IP，映射為客戶端IP。將whiteiplist值為0的，也就是白名單IP，映射為空的字符串。

limit_conn_zone指令對於鍵為空值的將會被忽略，從而實現對於列出來的IP不做限制。

1.對所有ip進行並發限制

nginx.conf配置文件如下：

user www www;
worker_processes 2; #設置值和CPU核心數一致
error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志級別
pid /usr/local/webserver/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;
events
{
  use epoll;
  worker_connections 65535;
}
http
{
  include mime.types;
  default_type application/octet-stream;
  log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for';

#charset gb2312;

  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;

  sendfile on;
  tcp_nopush on;
  keepalive_timeout 60;
  tcp_nodelay on;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  geo $whiteiplist
  {
    default 1;
  }

  map $whiteiplist $limit
  {
$binary_remote_addr;
"";
  }

  limit_conn_zone $limit  zone=perip:10m;
  limit_conn  perip  50;

 #下面是server虛擬主機的配置
 server
  {
    listen 80;#監聽端口
    server_name localhost;#域名
    index index.html index.htm index.php;
    root /usr/local/webserver/nginx/html;#站點目錄
      location ~ .*\.(php|php5)?$
    {
      #fastcgi_pass unix:/tmp/php-cgi.sock;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$
    {
      expires 30d;
  # access_log off;
    }
    location ~ .*\.(js|css)?$
    {
      expires 15d;
   # access_log off;
    }
    access_log off;
  }

}

采用ab進行壓力測試結果如下：

Failed requests：352

2.測試白名單是否生效

nginx.conf文件內容如下：

user www www;
worker_processes 2; #設置值和CPU核心數一致
error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日志位置和日志級別
pid /usr/local/webserver/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;
events
{
  use epoll;
  worker_connections 65535;
}
http
{
  include mime.types;
  default_type application/octet-stream;
  log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for';

#charset gb2312;

  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;

  sendfile on;
  tcp_nopush on;
  keepalive_timeout 60;
  tcp_nodelay on;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  geo $whiteiplist
  {
    47.93.39.164 0;
    default 1;
  }

  map $whiteiplist $limit
  {
    1 $binary_remote_addr;
    0 "";
  }

  limit_conn_zone $limit  zone=perip:10m;
  limit_conn  perip  50;

 #下面是server虛擬主機的配置
 server
  {
    listen 80;#監聽端口
    server_name localhost;#域名
    index index.html index.htm index.php;
    root /usr/local/webserver/nginx/html;#站點目錄
      location ~ .*\.(php|php5)?$
    {
      #fastcgi_pass unix:/tmp/php-cgi.sock;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$
    {
      expires 30d;
  # access_log off;
    }
    location ~ .*\.(js|css)?$
    {
      expires 15d;
   # access_log off;
    }
    access_log off;
  }

}

采用ab進行壓力測試結果如下：

Failed requests：0

說明：也可以更改白名單內ip對應的值，使得其變成一個黑名單

每次更改完nginx.conf配置文件之后都要使用命令來檢查文件的正確性，然后重新加載文件，這樣更改才會生效

相關命令：

查看配置文件是否正確
/usr/local/webserver/nginx/sbin/nginx –t

重新載入配置文件
/usr/local/webserver/nginx/sbin/nginx -s reload

重啟nginx
/usr/local/webserver/nginx/sbin/nginx -s reopen

停止nginx
/usr/local/webserver/nginx/sbin/nginx -s stop

啟動nginx
/usr/local/webserver/nginx/sbin/nginx

參考：

https://www.runoob.com/linux/nginx-install-setup.html

https://www.cnblogs.com/kevingrace/p/6165572.html

https://blog.csdn.net/qq_25934401/article/details/82802075

http://zhangguangzhi.top/2017/11/10/nginx%E9%99%90%E5%88%B6ip%E5%B9%B6%E5%8F%91%E8%BF%9E%E6%8E%A5%E6%95%B0%E4%BB%A5%E5%8F%8A%E6%AF%8F%E7%A7%92%E5%A4%84%E7%90%86%E8%AF%B7%E6%B1%82%E6%95%B0/