Details on the control of Nginx on traffic
- 2020-05-15 03:41:25
- OfStack
purpose
Understand the ngx_http_limit_conn_module and ngx_http_limit_req_module modules of Nginx to control the request traffic.
Nginx modular
The internal structure of nginx is composed of core modules and series 1 functional modules. The modular architecture makes the functionality of each module relatively simple and highly cohesive, while also facilitating the functional extension of Nginx.
For the request of web, all modules opened by Nginx will form a chain, similar to a level in the game. Each module is responsible for specific functions, such as the compressed ngx_http_gzip_module module, the verified ngx_http_auth_basic_module module and the agent ngx_http_proxy_module module. The request to connect to the server will be processed by each module of Nginx in turn. Only after the request is processed by these modules will it be passed to the background program code for processing.
Nginx concurrent access control
For the web server, when it encounters a network crawler or a malicious traffic attack, the server memory and CPU will be full and the bandwidth will be full. Therefore, as a mature server agent software, it needs to be able to control these situations.
There are two ways for Nginx to control concurrency. One is to control the amount of concurrency through IP or other parameters. The other is to control the total amount of request processing per unit time. This is the control of concurrency and parallelism, which are implemented by the ngx_http_limit_conn_module and ngx_http_limit_req_module modules, respectively.
ngx_http_limit_conn_module module
instructions
This module is mainly used to control the amount of concurrent requests.
Parameter configuration
limit_conn_zone
The directive is configured to limit_conn_zone key zone=name:size
Context for configuration: http
Note: key is a variable in Nginx, usually binaryremoteaddr|server_name; name is the name of the Shared memory, size is the size of the Shared memory; This configuration will request 1 block of Shared memory space name and save access to key
limit_conn_log_level
Syntax: limit_conn_log_level info notice| notice|warn|error
Default: error
Configuration context: http, server, location
Note: when the maximum limit is reached, the access is logged
limit_conn
Syntax: limit_conn zone_name number
Configuration context: http, server, location
Note: use zone_name for access concurrency control, and return the corresponding error code when number is exceeded
limit_conn_status
Syntax: limit_conn_status code
Default: 503
Configuration context: http, server, location
Note: when the limit of number is exceeded, the error code will be returned to the client. This error code can be used with error_page and other parameters to return a friendly error page to the client when the limit of error_page is exceeded
limit_rate
Syntax: limit_rate rate
Default value: 0
Configuration context: http, server, location
Note: limit the speed of each link. rate represents the download speed per second.
limit_rate_after
Syntax: limit_rate_after size
Configuration context: http, server, location
Note: this command works with limit_rate. limit_rate does not take effect until the traffic exceeds size
Simple configuration example
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
listen 80;
server_name www.domain.com;
root /path/;
index index.html index.htm;
location /ip {
limit_conn_status 503; # The status code returned after exceeding the limit;
limit_conn_log_level warn; # Logging level
limit_rate 50; # Bandwidth limitations
limit_conn addr 1; # Controlling concurrent access
}
# Returns when the concurrent access limit is exceeded 503 Error page
error_page 503 /503.html;
}
ngx_http_limit_req_module module
instructions
This module mainly controls the number of requests per unit time. "leaky bucket" (funnel) algorithm is used for filtering. After setting the limit of rate, when the number of requests per unit time exceeds rate, the module will detect the burst value. If the value is 0, the request will return an error or wait according to the configuration of delay|nodelay. If burst is greater than 0, when the number of requests is greater than rate but less than burst, the requests enter the waiting queue for processing.
Parameter configuration
limit_req_zone
Syntax: limit_req_zone key zone=name:size rate=rate
Configuration context: http
Note: key is a variable in Nginx, usually binaryremoteaddr|server_name; name is the name of the Shared memory, size is the size of the Shared memory; rate is the access frequency and the units are r/s, r/m. This configuration will request 1 block of Shared memory space name and save the access condition of $key.
limit_req
Syntax: limit_rate zone=name [burst=number] [nodelay|delay=number]
Configuration context: http, server, location
Note: open the limit, burst sets the maximum capacity, nodelay decides whether to wait for processing or return an error code when the request exceeds the limit.
limit_req_log_level and limit_req_status configuration parameters are about the same as ngx_http_limit_conn_module module 1;
Simple configuration example
limit_req_zone $binary_remote_addr zone=req:10m rate=2r/m;
server {
listen 80;
server_name www.domain.com;
root /path/;
index index.html index.htm;
location /limit {
limit_req zone=req burst=3 nodelay;
}
# Returns when the concurrent access limit is exceeded 503 Error page
error_page 503 /503.html;
}
Pay attention to
Both kinds of access control need to apply for memory space. Since there is memory space, of course, there will be situations where memory runs out and new requests will be returned with errors. Therefore, when the traffic limit is turned on, you need to monitor to prevent such situations.
summary
Through the simple introduction of the modular architecture of Nginx, the function and configuration parameters of ngx_http_limit_conn_module and ngx_http_limit_req_module modules are mainly understood, so as to realize the concurrent control of Nginx on requests. If there is anything wrong, please advise