Of Stack

Module configuration tutorial for limiting connections and limiting requests in Nginx server

  • 2020-05-10 23:30:01
  • OfStack

The ngx_http_limit_conn_module module that limits the number of connections
We often encounter this situation, server traffic is abnormal, the load is too large and so on. For malicious attack access with large traffic, it will lead to waste of bandwidth, pressure on the server and impact on the business. Therefore, it is often considered to limit the number of connections and concurrency with 1 ip. The ngx_http_limit_conn_module module implements this requirement. This module can limit the number of connections per key value based on the keys defined, as the number of connections per IP source. Not all connections are counted by the module; only those connections where requests are being processed (whose headers have been read in full) are counted.
1.   ngx_http_limit_conn_module instruction interpretation
1. limit_conn_zone
Grammar: 


limit_conn_zone $variable zone=name:size;

Default: none
Configuration section: http
This directive describes the session state storage area. The state of the key holds the current number of connections, and the value of the key can be any non-null value of a particular variable (null values will not be considered). $variable defines the key, zone=name defines the region name, which is used by the limit_conn directive. size defines the size of the individual key Shared memory space. Such as: 


limit_conn_zone $binary_remote_addr zone=addr:10m;

Note: the IP address of the client is used as the key. Note that the $binary_remote_addr variable is used instead of the $remote_addr variable.
The $remote_addr variable is between 7 and 15 bytes long, while the storage state occupies 32 or 64 bytes in 32-bit platforms, and 64 bytes in 64-bit platforms.
The $binary_remote_addr variable has a fixed length of 4 bytes, and the storage state occupies 32 bytes or 64 bytes in 32-bit platforms, and 64 bytes in 64-bit platforms.
The 1M Shared space can hold 32, 000 32-bit states and 16, 000 64-bit states.
If the Shared memory space is used up, the server will return a 503 (Service Temporarily Unavailable) error on all subsequent requests.
The limit_zone directive has the same meaning as the limit_conn_zone directive.
2. limit_conn_log_level
Grammar: 


limit_conn_log_level info | notice | warn | error

Default: error
Configuration segments: http, server, location
When the maximum number of connections is reached, the level of logging is logged.
3. limit_conn
Grammar: 


limit_conn zone_name number

Default: none
Configuration section: http, server, location
Specifies the maximum number of simultaneous connections per given key value and is returned as 503 (Service Temporarily Unavailable) error when this number is exceeded. Such as: 


limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
 location /www.ttlsa.com/ {
  limit_conn addr 1;
 }
}

Only 1 connection is allowed with 1IP same time.
All connection limits take effect when multiple limit_conn directives are configured. For example, the following configuration limits not only the number of connections from the single 1IP source, but also the total number of connections to the single 1 virtual server: 


limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
server {
 limit_conn perip 10;
 limit_conn perserver 100;
}

The limit_conn directive can be inherited from a parent.
4. limit_conn_status
Syntax: limit_conn_status code;
Default: limit_conn_status 503;
Configuration section: http, server, location
This specification was introduced in version 1.3.15. Specifies the status code to be returned when the limit is exceeded. The default is 503.
5. limit_rate
Syntax: limit_rate rate
Default value: 0
Configuration section: http, server, location, if in location
A rate limit for each connection. The parameter rate is in bytes per second, and setting it to 0 turns off the speed limit. Limit the connection speed rather than the IP limit, so if a client opens both connections at the same time, the overall client rate is twice the value set by this directive.
2. Complete instance configuration 


http {
 limit_conn_zone $binary_remote_addr zone=limit:10m;
 limit_conn_log_level info;
 
 server {
 location ^~ /download/ { 
 limit_conn limit 4;
 limit_rate 200k;
 alias /data/www.ttlsa.com/download/;
    }
 }
}

3. Precautions for use
Every transaction has two sides. The ngx_http_limit_conn_module module, while addressing the current concurrency issues, will introduce additional issues. For example, if the front end does LVS or reverse generation, and our back end enables the module function, isn't that a lot of 503 errors? In this way, the module can be enabled in the front end, or the whitelist can be set. Please refer to the following documents for the whitelist setting, and I will sort out a copy for readers' reference.

ngx_http_limit_req_module module that limits the number of requests
We talked about the ngx_http_limit_conn_module module to limit the number of connections. So what about the limit on the number of requests? This is done through the ngx_http_limit_req_module module, which can limit the frequency of request processing by defining key values. In particular, you can limit the frequency of requests processed from a single IP address. The limiting method is a funnel, fixed number of requests per second, deferring too many requests.
1. ngx_http_limit_req_module module instruction
1. limit_req_zone
Grammar: 


limit_req_zone $variable zone=name:size rate=rate;

Default: none
Configuration section: http
Sets the state parameter that a block of Shared memory limit fields are used to hold key values. In particular, the number of requests currently exceeded is saved. The value of the key is the specified variable (null values are not evaluated). Such as 


limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

Note: the region name is one, the size is 10m, and the average frequency of requests processed cannot exceed 1 per second.
The key value is client IP.
Using the $binary_remote_addr variable, you can reduce the size of each state record to 64 bytes, so that 1M's memory can hold about 16,000 64 bytes of records.
If the limited domain runs out of storage, the server returns a 503 (Service Temporarily Unavailable) error for all subsequent requests.
The speed can be set to the number of requests per second and the number of requests per minute. The value must be an integer, so if you need to specify that less than 1 request per second is processed and 1 request is processed in 2 seconds, you can use "30r/m".
2. limit_req_log_level
Grammar: 


limit_req_log_level info | notice | warn | error;

Default: limit_req_log_level error;
Configuration section: http, server, location
Set the level of logging you wish to log when the server rejects or delays processing requests due to excessive frequency. The log level of delayed logging is 1 level lower than that of rejected logging. For example, if "limit_req_log_level notice" is set, the delayed log is at the info level.
limit_req_status
Grammar: 


limit_conn_zone $binary_remote_addr zone=addr:10m;
0

Default: limit_req_status 503;
Configuration section: http, server, location
This directive was introduced in version 1.3.15. Sets the response status code to reject the request.
3. limit_req
Grammar: 


limit_conn_zone $binary_remote_addr zone=addr:10m;
1

Default value: --
Configuration section: http, server, location
Sets the corresponding Shared memory limit domain and threshold for the maximum number of requests allowed to be processed. If the frequency of the request exceeds the value of the restricted domain configuration, the processing of the request is delayed, so all requests are processed at a defined frequency. Requests that exceed the frequency limit are delayed until the number of requests delayed exceeds the defined threshold, at which point the request is terminated and a 503 (Service Temporarily Unavailable) error is returned. The default value for this threshold is 0. Such as: 


limit_conn_zone $binary_remote_addr zone=addr:10m;
2

Limit the number of requests to no more than 1 per second on average, and allow no more than 5 requests exceeding the frequency limit.
If the request that you do not want to exceed is delayed, you can use the nodelay parameter, such as: 


limit_req zone=ttlsa_com burst=5 nodelay;

2. Complete instance configuration 


limit_conn_zone $binary_remote_addr zone=addr:10m;
4

Some IP may not be restricted and need to be whitelist. Please refer to the following documents for the list setting, and I will arrange one for readers' reference. Please focus.

Related articles: