Nginx的请求限制_请求连接频率限制配置语法与原理
1、HTTP协议的连接与请求原理
(1)HTTP请求建立在TCP连接请求之上
- HTTP请求建立在TCP连接请求之上,TCP连接的三次握手完成才开始HTTP请求;
- 一次TCP请求至少产生一次HTTP请求;
(2)TCP三次握手
第一次
第一次握手:建立连接时,客户端发送syn包(syn=j)到服务器,并进入SYN_SENT状态,等待服务器确认;SYN:同步序列编号(Synchronize Sequence Numbers)。
第二次握手:服务器收到syn包,必须确认客户的SYN(ack=j+1),同时自己也发送一个SYN包(syn=k),即SYN+ACK包,此时服务器进入SYN_RECV状态;
第三次握手:客户端收到服务器的SYN+ACK包,向服务器发送确认包ACK(ack=k+1),此包发送完毕,客户端和服务器进入ESTABLISHED(TCP连接成功)状态,完成三次握手。
完成三次握手,客户端与服务器开始传送数据,在上述过程中,还有一些重要的概念:
(3)TCP几个状态标识位
SYN表示建立连接,
FIN表示关闭连接,
ACK表示响应,
PSH表示有 DATA数据传输,
RST表示连接重置。
位码即tcp标志位,有6种标示:
- SYN(synchronous建立联机)
- ACK(acknowledgement 确认)
- PSH(push传送)
- FIN(finish结束)
- RST(reset重置)
- URG(urgent紧急)
- Sequence number(顺序号码)
- Acknowledge number(确认号码)
(4)HTTP版本差异
2、http_limit_conn_module详解
http_limit_conn_module:http请求连接频率限制
官网解释:
The ngx_http_limit_conn_module module is used to limit the number of connections per the defined key, in particular, the number of connections from a single IP address.
Not all connections are counted. A connection is counted only if it has a request being processed by the server and the whole request header has already been read.
3、limit_conn语法
(1)limit_conn语法
Syntax: | limit_conn |
---|---|
Default: | — |
Context: | http , server , location |
语法解释:
limit_conn
zone
number
;
zone 表示存储在共享内存中的key
number 表示限制的连接数
Sets the shared memory zone and the maximum allowed number of connections for a given key value. When this limit is exceeded, the server will return the error in reply to a request. For example, the directives
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
location /download/ {
limit_conn addr 1;
}
allow only one connection per an IP address at a time.
In HTTP/2 and SPDY, each concurrent request is considered a separate connection.
There could be several limit_conn
directives. For example, the following configuration will limit the number of connections to the server per a client IP and, at the same time, the total number of connections to the virtual server:
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
server {
...
limit_conn perip 10;
limit_conn perserver 100;
}
(2)limit_conn_log_level语法
These directives are inherited from the previous level if and only if there are no limit_conn
directives on the current level.
Syntax: |
limit_conn_log_level info | notice | warn | error; |
Default: |
limit_conn_log_level error; |
Context: |
http,server,location |
This directive appeared in version 0.8.18.
语法解释:
limit_conn_log_level error;表示为服务器限制连接数的情况设置所需的日志记录级别。
Sets the desired logging level for cases when the server limits the number of connections.
(3)limit_conn_status语法
Syntax: |
limit_conn_status code; |
Default: |
limit_conn_status 503; |
Context: |
http,server,location |
This directive appeared in version 1.3.15.
语法解释:
limit_conn_status code;表示设置响应状态码
Sets the status code to return in response to rejected requests.
(4)limit_conn_zone语法
Syntax: |
limit_conn_zone key zone=name:size; |
Default: |
— |
Context: |
http |
语法解释:
sets parameters for a shared memory zone that will keep states for various keys. In particular, the state includes the current number of connections. The key
can contain text, variables, and their combination. Requests with an empty key value are not accounted.
Prior to version 1.7.6, a key
could contain exactly one variable.
Usage example:
limit_conn_zone $binary_remote_addr zone=addr:10m;
使用解释:
Here, a client IP address serves as a key. Note that instead of $remote_addr
, the $binary_remote_addr
variable is used here. The $remote_addr
variable’s size can vary from 7 to 15 bytes. The stored state occupies either 32 or 64 bytes of memory on 32-bit platforms and always 64 bytes on 64-bit platforms. The $binary_remote_addr
variable’s size is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses. The stored state always occupies 32 or 64 bytes on 32-bit platforms and 64 bytes on 64-bit platforms. One megabyte zone can keep about 32 thousand 32-byte states or about 16 thousand 64-byte states. If the zone storage is exhausted, the server will return the error to all further requests.
(5)limit_zone语法remove
Syntax: |
limit_zone name $variable size; |
Default: |
— |
Context: |
http |
语法解释:
This directive was made obsolete in version 1.1.8 and was removed in version 1.7.6. An equivalent limit_conn_zone directive with a changed syntax should be used instead:
limit_conn_zone
$variable
zone
=name
:size
;
3、limit_conn_zone配置
注意:这里location要配置动态接口才能压测出限制连接数limit_conn,如果location配置成静态资源,很难测试出来,因为Nginx访问静态资源的效率很高。
4、验证limit_conn配置是否生效
使用ab测试工具进行压测,2个successed,18个failed
因为limit_conn=1,所以大量的请求被limit