Introduction: When we visit a webpage, there will always be several http requests sent, such as: the number of readings and the number of likes, which are generally changed dynamically through ajax. If the interface is not verified, it is easy to will be used
When we visit a webpage, there will always be several http requests sent, such as: the number of readings and the number of likes, which are generally changed dynamically through ajax. If the interface is not verified, it will be easily blocked. People use it to attack websites.
In the past, when I was not very good at using nginx, I wrote a processor in Java that restricts IP access, which can limit the access frequency of each interface according to IP. Although the writing is very poignant, it can barely achieve the effect (but there are still bugs ): Limit the crazy calls of each IP to the same interface. This time we will use nginx to deal with this problem.
Mainly used nginx ngx_http_limit_conn_moduleand ngx_http_limit_req_moduletwo configurations:
ngx_http_limit_conn_module: limit the number of concurrent connections;
ngx_http_limit_req_module: Limit the access frequency of the same IP within a period of time;
First of all, in order to prevent others from attacking, or the server crashes due to abnormally high traffic, we need to limit the traffic. If it is an instant concurrent access, then we need to limit the number of concurrent connections within one second. At this time You need to use the first configuration
http {
limit_conn_zone $binary_remote_addr zone=addr:10m;
#定义一个名为addr的limit_req_zone用来存储session,大小是10M内存,
#以$binary_remote_addr 为key
#nginx 1.18以后用limit_conn_zone替换了limit_conn,
#且只能放在http{
}代码段.
...
server {
...
location / {
limit_conn addr 10; #连接数限制
#设置给定键值的共享内存区域和允许的最大连接数。超出此限制时,服务器将返回503(服务临时不可用)错误.
#如果区域存储空间不足,服务器将返回503(服务临时不可用)错误
}
}
}
The above configuration can achieve the effect that when accessing for a moment, only 10 IPs can get a response, and the following IPs will directly return the 503 status.
Secondly, if an IP can access the server, if it calls the interface crazily, such as: write a for loop on the page to keep refreshing requests, not to mention that the data will be disordered, it may eventually exhaust the bandwidth of the server, causing the server to Fake death crash, you need to use the second configuration at this time
http{
...
#定义一个名为allips的limit_req_zone用来存储session,大小是10M内存,
#以$binary_remote_addr 为key,限制平均每秒的请求为20个,
#1M能存储16000个状态,rete的值必须为整数,
#如果限制两秒钟一个请求,可以设置成30r/m
limit_req_zone $binary_remote_addr zone=allips:10m rate=20r/s;
...
server{
...
location / {
...
#限制每ip每秒不超过20个请求,漏桶数burst为5
#brust的意思就是,如果第1秒、2,3,4秒请求为19个,
#第5秒的请求为25个是被允许的。
#但是如果你第1秒就25个请求,第2秒超过20的请求返回503错误。
#nodelay,如果不设置该选项,严格使用平均速率限制请求数,
#第1秒25个请求时,5个请求放到第2秒执行,
#设置nodelay,25个请求将在第1秒执行。
limit_req zone=allips burst=5 nodelay;
...
}
...
}
...
}
The effect that can be achieved at this time is that the same IP can only get 20 visits in one second, and if more than 20 requests are requested, the latter will also directly return 503.
The above two configurations can be added together: there are only 10 connections per second, and each connection can only send 20 requests.
Note: You must pay attention to the configuration of the number of request access restrictions, otherwise 503 (ERR_ABORTED 503 (Service Temporarily Unavailable)) will occur if you are not careful
These two functions are very useful, but these two configurations are not absolutely safe. As long as you have enough patience to try and figure out the length of indirect waiting, you can also bypass these checks, so the best way is still on the server side Do the verification!