Home > Backend Development > PHP Tutorial > PHP nginx limits the number of IP requests and the number of concurrency

PHP nginx limits the number of IP requests and the number of concurrency

WBOY
Release: 2016-07-30 13:31:28
Original
1590 people have browsed it

How to set a limit on the number of visits to a certain IP within a certain period of time is a headache, especially when facing malicious DDoS attacks. Among them, CC attack (Challenge Collapsar) is a type of DDOS (Distributed Denial of Service) and a common website attack method. The attacker continuously sends a large number of data packets to the victim host through a proxy server or broiler, causing the opponent's server to Resources are exhausted until the machine crashes. CC attacks generally use a limited number of IPs to frequently send data to the server to achieve the purpose of the attack. nginx can limit the number of IP accesses in the same time period through the configuration of HttpLimitReqModul and HttpLimitZoneModule to prevent CC attacks. HttpLimitReqModul is a module used to limit the number of connections per unit time. Use the limit_req_zone and limit_req instructions together to achieve the limit. Once the number of concurrent connections exceeds the specified number, a 503 error will be returned. HttpLimitConnModul is used to limit the number of concurrent connections for a single IP. The difference between the two modules using the limit_zone and limit_conn instructions is that the former limits the number of connections within a period of time, and the latter limits the number of connections at the same time.

HttpLimitReqModul limits the number of instances accessed by the same IP within a certain period of time

<span>http<span>{<span>    <span>...<span>
    <span>#定义一个名为allips的limit_req_zone用来存储session,大小是10M内存,<span>    <span>#以$binary_remote_addr 为key,限制平均每秒的请求为20个,<span>    <span>#1M能存储16000个状态,rete的值必须为整数,<span>    <span>#如果限制两秒钟一个请求,可以设置成30r/m<span>
    limit_req_zone $binary_remote_addr zone<span>=<span>allips<span>:<span>10m<span> rate<span>=<span>20r<span>/<span>s<span>;<span>    <span>...<span>    server<span>{<span>        <span>...<span>        location <span>{<span>            <span>...<span>
            <span>#限制每ip每秒不超过20个请求,漏桶数burst为5<span>            <span>#brust的意思就是,如果第1秒、2,3,4秒请求为19个,<span>            <span>#第5秒的请求为25个是被允许的。<span>            <span>#但是如果你第1秒就25个请求,第2秒超过20的请求返回503错误。<span>            <span>#nodelay,如果不设置该选项,严格使用平均速率限制请求数,<span>            <span>#第1秒25个请求时,5个请求放到第2秒执行,<span>            <span>#设置nodelay,25个请求将在第1秒执行。<span>
            limit_req zone<span>=<span>allips burst<span>=<span>5<span> nodelay<span>;<span>            <span>...<span>        <span>}<span>        <span>...<span>    <span>}<span>    <span>...<span><span>}</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
Copy after login

HttpLimitZoneModule limits the number of concurrent connections

limit_zone can only be defined in the http scope, limit_conn can be defined in the http server location scope

<span>http<span>{<span>    <span>...<span>
    <span>#定义一个名为one的limit_zone,大小10M内存来存储session,<span>    <span>#以$binary_remote_addr 为key<span>    <span>#nginx 1.18以后用limit_conn_zone替换了limit_conn<span>    <span>#且只能放在http作用域<span>    limit_conn_zone   one  $binary_remote_addr  <span>10m<span>;<span>  
    <span>...<span>    server<span>{<span>        <span>...<span>        location <span>{<span>            <span>...<span>           limit_conn one <span>20<span>;<span>          <span>#连接数限制<span>
           <span>#带宽限制,对单个连接限数,如果一个ip两个连接,就是500x2k<span>           limit_rate <span>500k<span>;<span>            

            <span>...<span>        <span>}<span>        <span>...<span>    <span>}<span>    <span>...<span><span>}</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
Copy after login

nginx whitelist settings

The above configuration will restrict all IPs. Sometimes we don’t want to restrict search engine spiders or test IPs ourselves.
For specific whitelisted IPs, we can use the geo command to achieve this .
1.

<span>http<span>{<span>     geo $limited<span>{<span>        <span>default<span> <span>1<span>;<span>        <span>#google <span>        <span>64.233<span>.<span>160.0<span>/<span>19<span> <span>0<span>;<span>        <span>65.52<span>.<span>0.0<span>/<span>14<span> <span>0<span>;<span>        <span>66.102<span>.<span>0.0<span>/<span>20<span> <span>0<span>;<span>        <span>66.249<span>.<span>64.0<span>/<span>19<span> <span>0<span>;<span>        <span>72.14<span>.<span>192.0<span>/<span>18<span> <span>0<span>;<span>        <span>74.125<span>.<span>0.0<span>/<span>16<span> <span>0<span>;<span>        <span>209.85<span>.<span>128.0<span>/<span>17<span> <span>0<span>;<span>        <span>216.239<span>.<span>32.0<span>/<span>19<span> <span>0<span>;<span>        <span>#M$<span>        <span>64.4<span>.<span>0.0<span>/<span>18<span> <span>0<span>;<span>        <span>157.60<span>.<span>0.0<span>/<span>16<span> <span>0<span>;<span>        <span>157.54<span>.<span>0.0<span>/<span>15<span> <span>0<span>;<span>        <span>157.56<span>.<span>0.0<span>/<span>14<span> <span>0<span>;<span>        <span>207.46<span>.<span>0.0<span>/<span>16<span> <span>0<span>;<span>        <span>207.68<span>.<span>192.0<span>/<span>20<span> <span>0<span>;<span>        <span>207.68<span>.<span>128.0<span>/<span>18<span> <span>0<span>;<span>        <span>#yahoo<span>        <span>8.12<span>.<span>144.0<span>/<span>24<span> <span>0<span>;<span>        <span>66.196<span>.<span>64.0<span>/<span>18<span> <span>0<span>;<span>        <span>66.228<span>.<span>160.0<span>/<span>19<span> <span>0<span>;<span>        <span>67.195<span>.<span>0.0<span>/<span>16<span> <span>0<span>;<span>        <span>74.6<span>.<span>0.0<span>/<span>16<span> <span>0<span>;<span>        <span>68.142<span>.<span>192.0<span>/<span>18<span> <span>0<span>;<span>        <span>72.30<span>.<span>0.0<span>/<span>16<span> <span>0<span>;<span>        <span>209.191<span>.<span>64.0<span>/<span>18<span> <span>0<span>;<span>        <span>#My IPs<span>        <span>127.0<span>.<span>0.1<span>/<span>32<span> <span>0<span>;<span>        <span>123.456<span>.<span>0.0<span>/<span>28<span> <span>0<span>;<span> <span>#example for your server CIDR<span>    <span>}</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
Copy after login

geo directive defines a whitelist $limited variable, the default value is 1, if the client IP is within the above range, the value of $limited is 0

2. Use the map directive to map the search engine client The ip is an empty string. If it is not a search engine, the real ip will be displayed. In this way, the search engine ip cannot be stored in the limit_req_zone memory session, so the search engine’s ip access will not be restricted.

map $limited $limit {
1 $binary_remote_addr ;
0 "";
}

3. Set limit_req_zone and limit_req
limit_req_zone $limit z rate=10r/m;

limit_req z burst=5;

Finally we use ab to suppress php-fpm, for the above The effect of the method is actually tested

Example 1: The restriction only allows one IP to access the configuration 60 times in one minute, which is an average of 1 time per second
First we prepare a php script and place it in the root directory $document_root
test. php

nginx configuration added limit_req_zone and limit_req

<span>http<span>{<span>    <span>...<span>    limit_req_zone $binary_remote_addr zone<span>=<span>allips<span>:<span>10m<span> rate<span>=<span>60r<span>/<span>m<span>;<span>    <span>...<span>    server<span>{<span>        <span>...<span>        location <span>{<span>            <span>...<span>            limit_req zone<span>=<span>allips<span>;<span>            <span>...<span>        <span>}<span>        <span>...<span>    <span>}<span>    <span>...<span><span>}</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
Copy after login

ab -n 5 -c 1 http://www.weizhang.org/test.php

118.144.94.193 - - [22/Dec/2012: 06:27:06 +0000] "GET /test.php HTTP/1.0" 200 11000 "-" "ApacheBench/2.3"
118.144.94.193 - - [22/Dec/2012:06:27:06 +0000] " GET /test.php HTTP/1.0" 503 537 "-" "ApacheBench/2.3"
118.144.94.193 - - [22/Dec/2012:06:27:07 +0000] "GET /test.php HTTP/1.0" 503 537 "-" "ApacheBench/2.3"
118.144.94.193 - - [22/Dec/2012:06:27:07 +0000] "GET /test.php HTTP/1.0" 503 537 "-" "ApacheBench/2.3 "
118.144.94.193 - - [22/Dec/2012:06:27:07 +0000] "GET /test.php HTTP/1.0" 503 537 "-" "ApacheBench/2.3"

It is ok if brust and nodelay are not set Seeing that this configuration only allows 1 access per second, excessive requests return a 503 error

<span>http<span>{<span>    <span>...<span>    limit_req_zone $binary_remote_addr zone<span>=<span>allips<span>:<span>10m<span> rate<span>=<span>60r<span>/<span>m<span>;<span>    <span>...<span>    server<span>{<span>        <span>...<span>        location <span>{<span>            <span>...<span>            limit_req zone<span>=<span>allips burst<span>=<span>1<span> nodelay<span>;<span>            <span>...<span>        <span>}<span>        <span>...<span>    <span>}<span>    <span>...<span><span>}</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
Copy after login

ab -n 5 -c 1 http://www.weizhang.org/test.php

118.144.94.193 - - [22 /Dec/2012:07:01:00 +0000] "GET /test.php HTTP/1.0" 200 11000 "-" "ApacheBench/2.3"
118.144.94.193 - - [22/Dec/2012:07:01: 00 +0000] "GET /test.php HTTP/1.0" 200 11000 "-" "ApacheBench/2.3"
118.144.94.193 - - [22/Dec/2012:07:01:01 +0000] "GET /test. php HTTP/1.0" 503 537 "-" "ApacheBench/2.3"
118.144.94.193 - - [22/Dec/2012:07:01:01 +0000] "GET /test.php HTTP/1.0" 503 537 "- " "ApacheBench/2.3"
118.144.94.193 - - [22/Dec/2012:07:01:01 +0000] "GET /test.php HTTP/1.0" 503 537 "-" "ApacheBench/2.3"

Settings After brust=1 and nodelay, two requests are allowed to be processed in the first second.

The above introduces how PHP nginx limits the number of IP requests and the number of concurrency, including the content. I hope it will be helpful to friends who are interested in PHP tutorials.

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template