One of the most useful, but often misunderstood and misconfigured, features of NGINX is rate limiting. It allows you to limit the amount of HTTP requests a user can make in a given period of time. A request can be as simple as a Show
Rate limiting can be used for security purposes, for example to slow down brute‑force password‑guessing attacks. It can help protect against DDoS attacks by limiting the incoming request rate to a value typical for real users, and (with logging) identify the targeted URLs. More generally, it is used to protect upstream application servers from being overwhelmed by too many user requests at the same time. In this blog we will cover the basics of rate limiting with NGINX as well as more advanced configurations. Rate limiting works the same way in NGINX Plus. To learn more about rate limiting with NGINX, watch our on-demand webinar. NGINX Plus R16 and later support “global rate limiting”: the NGINX Plus instances in a cluster apply a consistent rate limit to incoming requests regardless of which instance in the cluster the request arrives at. (State sharing in a cluster is available for other NGINX Plus features as well.) For details, see our and the NGINX Plus Admin Guide. How NGINX Rate Limiting Works NGINX rate limiting uses the leaky bucket algorithm, which is widely used in telecommunications and packet‑switched computer networks to deal with burstiness when bandwidth is limited. The analogy is with a bucket where water is poured in at the top and leaks from the bottom; if the rate at which water is poured in exceeds the rate at which it leaks, the bucket overflows. In terms of request processing, the water represents requests from clients, and the bucket represents a queue where requests wait to be processed according to a first‑in‑first‑out (FIFO) scheduling algorithm. The leaking water represents requests exiting the buffer for processing by the server, and the overflow represents requests that are discarded and never serviced. Configuring Basic Rate LimitingRate limiting is configured with two main directives, The directive defines the parameters for rate limiting while enables rate limiting within the context where it appears (in the example, for all requests to /login/). The
The So now each unique IP address is limited to 10 requests per second for /login/ – or more precisely, cannot make a request for that URL within 100ms of its previous one. Handling BurstsWhat if we get 2 requests within 100ms of each other? For the second request NGINX returns status code The That means if 21 requests arrive from a given IP address simultaneously, NGINX forwards the first one to the upstream server group immediately and puts the remaining 20 in the queue. It then forwards a queued request every 100ms, and returns Queueing with No DelayA configuration with With the Suppose, as before, that the 20‑slot queue is empty and 21 requests arrive simultaneously from a given IP address. NGINX forwards all 21 requests immediately and marks the 20 slots in the queue as taken, then frees 1 slot every 100ms. (If there were 25 requests instead, NGINX would immediately forward 21 of them, mark 20 slots as taken, and reject 4 requests with status Now suppose that 101ms after the first set of requests was forwarded another 20 requests arrive simultaneously. Only 1 slot in the queue has been freed, so NGINX forwards 1 request and rejects the other 19 with status The effect is equivalent to a rate limit of 10 requests per second. The Note: For most deployments, we recommend including the Two-Stage Rate LimitingWith NGINX Plus R17 or NGINX Open Source 1.15.7 you can configure NGINX to allow a burst of requests to accommodate the typical web browser request pattern, and then throttle additional excessive requests up to a point, beyond which additional excessive requests are rejected. Two-stage rate limiting is enabled with the parameter to the To illustrate two‑stage rate limiting, here we configure NGINX to protect a website by imposing a rate limit of 5 requests per second (r/s). The website typically has 4–6 resources per page, and never more than 12 resources. The configuration allows bursts of up to 12 requests, the first 8 of which are processed without delay. A delay is added after 8 excessive requests to enforce the 5 r/s limit. After 12 excessive requests, any further requests are rejected. The The first 8 requests (the value of Advanced Configuration ExamplesBy combining basic rate limiting with other NGINX features, you can implement more nuanced traffic limiting. AllowlistingThis example shows how to impose a rate limit on requests from anyone who is not on an “allowlist”. This example makes use of both the and directives. The
Putting the two together, The Including Multiple location /login/ { limit_req zone=mylimit burst=20; proxy_pass http://my_upstream; }3 Directives in a LocationYou can include multiple Extending the previous example we can apply a rate limit to IP addresses on the allowlist: IP addresses on the allowlist do not match the first rate limit (req_zone) but do match the second (req_zone_wl) and so are limited to 15 requests per second. IP addresses not on the allowlist match both rate limits so the more restrictive one applies: 5 requests per second. Configuring Related FeaturesLoggingBy default, NGINX logs requests that are delayed or dropped due to rate limiting, as in this example: Fields in the log entry include:
By default, NGINX logs refused requests at the Error Code Sent to ClientBy default NGINX responds with status code Denying All Requests to a Specific LocationIf you want to deny all requests for a specific URL, rather than just limiting them, configure a block for it and include the ConclusionWe have covered many features of rate limiting that NGINX and NGINX Plus offer, including setting up request rates for different locations on HTTP requests, and configuring additional features to rate limiting such as the |
Cara menggunakan php max int constant
Pos Terkait
Copyright © 2024 kemunculan Inc.
