Of Stack

Details on Nginx http resource request limits (three ways)

  • 2020-05-17 07:45:22
  • OfStack

Prerequisite: nginx requires the ngx_http_limit_conn_module and ngx_http_limit_req_module modules, using command 2 > Check whether there are corresponding modules for nginx-V | tr "" \n'|grep limit. If not, please recompile and install these two modules.

The test version is: nginx version is 1.15+

Limit the number of links

1. Define the key using the limit_conn_zone directive and set the parameters of the Shared memory region (which the worker process will use to share the counter for the key value). The first parameter specifies the expression to evaluate as the key. The second parameter, zone, specifies the name and size of the area: 


limit_conn_zone $binary_remote_addr zone=addr:10m;

2. Use the limit_conn directive to apply restrictions in the context of location {}, server {} or http {}, with the first parameter being the name of the Shared memory region set above, and the second parameter being the number of links allowed per key: 


location /download/ {
 limit_conn addr 1;
}

When using the $binary_remote_addr variable as a parameter, it is based on the IP address limit. You can also use the $server_name variable to limit the number of connections to a given server: 


http {
 limit_conn_zone $server_name zone=servers:10m;

 server {
 limit_conn servers 1000;
 }
}

Limit request rate

Rate limits can be used to prevent DDoS, CC attacks, or to prevent upstream servers from being inundated with too many requests at once. This method, based on the leaky bucket leaky bucket algorithm, requests that the bucket be reached at various rates and left at a fixed rate. Before using rate limits, you need to configure the global parameters for the "leaking bucket" :

key - used to distinguish between one client and another client as a parameter, usually a variable shared memory zone - name and size of the area where these key states are retained (i.e. "leaking bucket") rate - the request rate limit specified in the number of requests per second (r/s) or requests per minute (r/m) (" leaky bucket emptying "). Requests per minute is used to specify a rate of less than 1 request per second.

These parameters are set using the limit_req_zone directive. This directive is defined at the http {} level - this method allows different regions to be applied and requests overflow parameters to different contexts: 


http {
 #...

 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
}

Using this configuration, a Shared memory region of size 10m bytes and name one is created. This area holds the state of the client IP address set using the $binary_remote_addr variable. Note that $remote_addr also contains the IP address of the client, while $binary_remote_addr retains the shorter base 2 representation of the IP address.

The optimal size of the Shared memory area can be calculated using the following data: the $binary_remote_addr IPv4 address has a value size of four bytes, and the storage state on a 64-bit platform occupies 128 bytes. Thus, the status information for approximately 16,000 IP addresses occupies 1m bytes of the region.

If the storage runs out when NGINX needs to add a new entry, the oldest entry is deleted. If there is still not enough free space to accommodate the new record, NGINX returns the 503 Service Unavailable status code, which can be redefined using the limit_req_status directive.

Once this area is set, you can use the limit_req directive anywhere in the NGINX configuration to limit the request rate, especially server {}, location {}, and http {} context: 


http {
 #...

 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

 server {
 #...

 location /search/ {
  limit_req zone=one;
 }
 }
}

Using the above configuration, nginx will process no more than 1 request per second under /search/ routing, and defer processing of these requests in such a way that the total rate is no greater than the set rate. NGINX delays processing such requests until the "store" (Shared store one) is full. For requests to the full bucket, NGINX will respond to the 503 Service Unavailable error (when limit_req_status does not customize the status code).

Limit the broadband

To limit the bandwidth per connection, use the following limit_rate directive: 


location /download/ {
 limit_rate 50k;
}

With this setting, the client will be able to download content over a single connection at a maximum speed of 50k/ SEC. However, clients can bypass this restriction by opening multiple connections. Therefore, if the goal is to prevent the download speed from being greater than the specified value, the number of connections should also be limited. For example, 1 connection per IP address (if the Shared memory region specified above is used) : 


location /download/ {
 limit_conn addr 1;
 limit_rate 50k;
}

To impose restrictions only after the client has downloaded a specified amount of data, use the limit_rate_after directive. It may be reasonable to allow the client to download a fixed amount of data quickly (for example, a file-header movie index) and to limit the rate at which the rest of the data can be downloaded (allowing the user to watch the movie rather than download it). 


limit_rate_after 500k;
limit_rate 20k;

The following example shows the combined configuration used to limit the number of connections and bandwidth. The maximum number of connections allowed is set to 5 connections per client address, which is appropriate for most common situations, since modern browsers typically open up to 3 connections at a time. At the same time, the location where the download is provided allows only 1 connection: 


http {
 limit_conn_zone $binary_remote_address zone=addr:10m

 server {
 root /www/data;
 limit_conn addr 5;

 location / {
 }

 location /download/ {
  limit_conn addr 1;
  limit_rate_after 1m;
  limit_rate 50k;
 }
 }
}

The content is translated from the nginx request restriction section of the document, with a slight tweak to the semantics.

Related articles: