Of Stack

Detail the request limits (connection limits and request limits) of nginx

  • 2020-05-15 03:32:49
  • OfStack

1, the background,

We often encounter this situation, server traffic is abnormal, the load is too large and so on. For malicious attack access with large traffic, it will lead to the waste of bandwidth, server pressure and impact on the business. It is often considered to limit the number of connections and concurrency with one ip. The http_limit_conn_module module. This module can limit the number of connections per key value based on the keys defined, as the number of connections per IP source. Not all connections are counted by the module; only those connections where requests are being processed (whose headers have been read in full) are counted. The http_limit_req_module module, which can limit the frequency of request processing by defining key values. In particular, you can limit the frequency of requests processed from a single IP address. The limiting method is a funnel, fixed number of requests per second, deferring too many requests.

2. Configuration syntax

1, http_limit_conn_module instruction interpretation

limit_conn_zone
Syntax: limit_conn_zone $variable zone=name:size;
Default: none
Configuration segment: http

This directive describes the session state storage area. The state of the key holds the current number of connections, and the value of the key can be any non-null value of a particular variable (null values will not be considered). $variable defines the key, zone=name defines the region name, which is used by the limit_conn directive. size defines the size of each key Shared memory space. Such as: 


limit_conn_zone $binary_remote_addr zone=addr:10m;

Note: the IP address of the client is used as the key. Note that the $binary_remote_addr variable is used, not the $remote_addr variable.

The $remote_addr variable is between 7 and 15 bytes long, while the storage state occupies 32 or 64 bytes in 32-bit platforms and 64 bytes in 64-bit platforms.

The $binary_remote_addr variable has a fixed length of 4 bytes, and the storage state occupies 32 bytes or 64 bytes in 32-bit platforms, and 64 bytes in 64-bit platforms.

The 1M Shared space can hold 32, 000 32-bit states and 16, 000 64-bit states.

If the Shared memory space is used up, the server will return a 503 (Service Temporarily Unavailable) error on all subsequent requests.

The limit_zone directive has the same meaning as the limit_conn_zone directive.

limit_conn_log_level
Syntax: limit_conn_log_level info | notice | warn | error
Default: error

Configuration section: http, server, location

When the maximum number of connections is reached, the level of logging is logged.

limit_conn
Syntax: limit_conn zone_name number
Default: none
Configuration section: http, server, location

Specifies the maximum number of simultaneous connections per given key value and is returned as 503 (Service Temporarily Unavailable) error when this number is exceeded. Such as: 


limit_conn_zone $binary_remote_addrzone=addr:10m;
server{
 location /www.baidu.com/{
  limit_conn addr 1;
 }
}

Only one connection is allowed with 1IP same time.

All connection limits take effect when multiple limit_conn directives are configured. For example, the following configuration not only limits the number of connections to the single 1IP source, but also limits the total number of connections to the single 1 virtual server: 


limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
server {
 limit_conn perip 10;
 limit_conn perserver 100;
}

The [warning]limit_conn directive can be inherited from a higher level. [/ warning]

limit_conn_status
Syntax: limit_conn_status code;
Default: limit_conn_status 503;
Configuration section: http, server, location

This specification was introduced in version 1.3.15. Specifies the status code to be returned when the limit is exceeded. The default is 503.

limit_rate
Syntax: limit_rate rate
Default value: 0
Configuration section: http, server, location, if in location

A rate limit for each connection. The parameter rate is in bytes per second, and setting it to 0 turns off the speed limit. Limit the connection speed rather than the IP limit, so if a client opens both connections at the same time, the overall client rate is twice the value set by this directive.

Full instance configuration 


http{
 limit_conn_zone$binary_remote_addrzone=limit:10m;
 limit_conn_log_level info;
 server{
  location ^~/download/{ 
  limit_conn limit 4;
  limit_rate 200k;
  /data/www.baidu.com/download/;
  }
 }
}

Precautions for use

Every transaction has two sides. While the http_limit_conn_module module addresses the current concurrency issues, it will introduce other issues. For example, if the front end does LVS or reverse generation, and our back end enables the module function, isn't that a lot of 503 errors? In this case, you can enable the module on the front end, or you can set the whitelist, which is set in the following documentation.

2, ngx_http_limit_req_module module instruction

limit_req_zone
Syntax: limit_req_zone $variable zone=name:size rate=rate;
Default: none
Configuration section: http

Sets the state parameter that a block of Shared memory limit fields are used to hold key values. In particular, the number of requests currently exceeded is saved. The value of the key is the specified variable (null values are not evaluated). Such as 


limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

Note: the region name is one, the size is 10m, and the average frequency of requests processed cannot exceed 1 per second.
The key value is client IP.

Using the $binary_remote_addr variable, you can reduce the size of each state record to 64 bytes, so that 1M's memory can hold about 16,000 64 bytes of records.

If the limited domain runs out of storage, the server returns a 503 (Service Temporarily Unavailable) error for all subsequent requests.
The speed can be set to the number of requests per second and the number of requests per minute. The value must be an integer, so if you need to specify that you want to process less than one request per second and one request per two seconds, you can use "30r/m".

limit_req_log_level
Grammar: limit_req_log_level info | notice | warn | error;
Default: limit_req_log_level error;
Configuration section: http, server, location

Set the level of logging you wish to log when the server rejects or delays processing requests due to excessive frequency. The log level of delayed logging is 1 level lower than that of rejected logging. For example, if "limit_req_log_level notice" is set, the delayed log is at info level.

limit_req_status
Syntax: limit_req_status code;
Default: limit_req_status 503;
Configuration section: http, server, location

This directive was introduced in version 1.3.15. Sets the response status code to reject the request.

limit_req
Syntax: limit_req zone=name [burst=number] [nodelay];
Default value: --
Configuration section: http, server, location

Sets the corresponding Shared memory limit domain and threshold for the maximum number of requests allowed to be processed. If the frequency of the request exceeds the value of the restricted domain configuration, the processing of the request is delayed, so all requests are processed at a defined frequency. Requests that exceed the frequency limit are delayed until the number of requests delayed exceeds the defined threshold, at which point the request is terminated and a 503 (Service Temporarily Unavailable) error is returned. The default value for this threshold is 0. Such as: 


limit_req_zone $binary_remote_addr zone=creq:10 mrate=1r/s;
server{
 location /www.baidu.com/{
  limit_req zone=creq burst=5;
 }
}

Limit the number of requests to no more than 1 per second on average, and allow no more than 5 requests exceeding the frequency limit.

If the request that you do not wish to exceed is delayed, you can use the nodelay parameter, such as: 


limit_req zone=ttlsa_com burst=5 nodelay;

Full instance configuration 


http{
 limit_req_zone $binary_remote_addr zone=creq:10m rate=1r/s;
 server{
  location ^~/download/{ 
  limit_req zone=creq burst=5;
  data/www.baidu.com/download/;
  }
 }
}

Some IP may not be restricted and need to be whitelist.

Related articles: