Nginx Module Configuration tutorial for restricting the number of connections and restricting requests in a server _nginx

Ngx_http_limit_conn_module modules that limit the number of connections
We often encounter this situation, the server traffic is abnormal, the load is too large and so on. For large traffic malicious attack access, will bring a waste of bandwidth, server pressure, affect the business, often consider the same IP connection number, concurrent number of restrictions. Here's a ngx_http_limit_conn_module module to implement this requirement. The module can limit the number of connections per key value based on the defined key, as is the number of connections for an IP source. Not all connections are counted by the module, and only the connections that are being processed (the headers of these requests are fully read) are counted.
I. Ngx_http_limit_conn_module directive interpretation
1. Limit_conn_zone
Syntax:

Limit_conn_zone $variable zone=name:size;

Default value: None
Configuration segment: http
This instruction describes the session-state storage area. The current number of connections is saved in the state of the key, and the value of the key can be any non-null value of a particular variable (null values will not be considered). $variable defines the key, Zone=name defines the name of the zone, and the following limit_conn instructions are used. Size defines the amount of shared memory space for each key. Such as:

Limit_conn_zone $binary _remote_addr zone=addr:10m;

Note: The IP address of the client is the key. Note that the $BINARY_REMOTE_ADDR variable, not the $REMOTE_ADDR variable, is used here.
$remote the length of the _addr variable is 7 bytes to 15 bytes, while the storage state occupies 32 or 64 bytes in the 32-bit platform and occupies 64 bytes in the 64-bit platform.
$binary _remote_addr variable has a fixed length of 4 bytes, the storage state occupies 32 bytes or 64 bytes in the 32-bit platform, and occupies 64 bytes in the 64-bit platform.
1M shared space can hold 32,000 32-bit states, 16,000 64-bit states.
If the shared memory space is depleted, the server will return 503 (Service temporarily unavailable) errors to all subsequent requests.
The limit_zone instruction and the limit_conn_zone instruction have the same meaning, have been discarded, will no longer be explained.
2. Limit_conn_log_level
Syntax:

Limit_conn_log_level Info | Notice | Warn | Error

Default value: Error
Configuration segment: HTTP, server, location
Record the level of the log when the maximum number of restricted connections is reached.
3. Limit_conn
Syntax:

Limit_conn zone_name Number

Default value: None
Configuration segment: HTTP, server, location
Specifies the maximum number of simultaneous connections for each given key value, which is returned 503 (Service temporarily unavailable) error when this number is exceeded. Such as:

Limit_conn_zone $binary _remote_addr zone=addr:10m;
server {
 location/www.ttlsa.com/{
  limit_conn addr 1;
 }
}

Only one connection is allowed at the same time on the same IP.
When multiple Limit_conn directives are configured, all the number of connection restrictions will take effect. For example, the following configuration will not only limit the number of connections to a single IP source, but also limit the total number of connections to a single virtual server:

Limit_conn_zone $binary _remote_addr zone=perip:10m;
Limit_conn_zone $server _name zone=perserver:10m;
server {
 limit_conn perip;
 Limit_conn perserver;
}

Limit_conn instructions can be inherited from a superior.
4. Limit_conn_status
syntax: Limit_conn_status code;
Default value: Limit_conn_status 503;
Configuration segment: HTTP, server, location
The designation is introduced in version 1.3.15. Specifies the status code returned when the limit is exceeded. The default is 503.
5. Limit_rate
Syntax: limit_rate rate
Default value: 0
Configuration segment: HTTP, server, location, if in location
The rate limit for each connection. The unit of the parameter rate is bytes/sec, and setting to 0 will turn off the speed limit. By connection speed limit rather than by IP, so if a client has two connections open at the same time, the overall rate of the client is twice times the value of this instruction setting.
two. Full instance configuration

HTTP {
 limit_conn_zone $binary _remote_addr zone=limit:10m;
 Limit_conn_log_level info;
 
 server {
 location ^~/download/{ 
 limit_conn limit 4;
 Limit_rate 200k;
 alias/data/www.ttlsa.com/download/
    }}
 }

Three. Precautions for use
affairs have two sides. The Ngx_http_limit_conn_module module solves the concurrency problems currently facing it, but introduces additional problems. If the front end if there is to do LVS or reverse generation, and our back-end enabled the module function, it is not very many 503 errors? In this case, you can enable the module on the front end, or set the whitelist, whitelist settings see the following documents, I will organize a copy for the reader's reference.

Ngx_http_limit_req_module module to limit the number of requests
we talked about the Ngx_http_limit_conn_module module, to limit the number of connections. What about the limit of the number of requests? This needs to be implemented through the Ngx_http_limit_req_module module, which can limit the frequency of request processing by defining key values. In particular, you can limit the frequency of request processing from a single IP address. The restricted method is like a funnel, the number of fixed processing requests per second, and too many requests are deferred.
A. Ngx_http_limit_req_module module instruction
1. Limit_req_zone
Syntax:

Limit_req_zone $variable zone=name:size rate=rate;

Default value: None
Configuration segment: http
Sets the state parameter that a shared memory limit field uses to hold key values. In particular, the number of currently exceeded requests is saved. The value of the key is the specified variable (the null value is not evaluated). Such as

Limit_req_zone $binary _remote_addr zone=one:10m rate=1r/s;

Description: The area name is one, the size is 10m, the average processing request frequency can not exceed once per second.
The key value is the client IP.
With the $BINARY_REMOTE_ADDR variable, you can reduce the size of each state record to 64 bytes, so that 1M of memory can hold approximately 16,000 64-byte records.
If the restricted domain storage space is depleted, the server returns 503 (Service temporarily unavailable) error for all subsequent requests.
The speed can be set to the number of requests processed per second and the number of requests processed per minute, and the value must be an integer, so if you need to specify a request to process fewer than 1 requests per second, and 2 seconds to process a request, you can use "30r/m".
2. Limit_req_log_level
Syntax:

Limit_req_log_level Info | Notice | Warn | Error

Default value: Limit_req_log_level error;
Configuration segment: HTTP, server, location
Set the log level you want, and log the appropriate level when the server rejects or delays processing requests because of excessive frequency. The log level of the deferred record is one level lower than the rejected; For example, if you set "Limit_req_log_level notice", the deferred log is the info level.
Limit_req_status
Grammar:

Limit_req_status Code;

Default value: Limit_req_status 503;
Configuration segment: HTTP, server, location
The directive is introduced in version 1.3.15. Sets the response status code for the reject request.
3. Limit_req
Syntax:

 Limit_req zone=name [Burst=number] [nodelay];

Default value:-
Configuration segment: HTTP, server, location
Sets the corresponding shared memory limit domain and the maximum number of request thresholds that are allowed to be processed. If the requested frequency exceeds the limit of the domain configuration, the request processing is deferred, so all requests are processed at the defined frequency. Requests exceeding the frequency limit are deferred until the number of requests delayed exceeds the defined threshold, at which point the request is terminated and a 503 (Service temporarily unavailable) error is returned. The default value for this threshold value is 0. Such as:

Limit_req_zone $binary _remote_addr zone=ttlsa_com:10m rate=1r/s;
server {
 location/www.ttlsa.com/{
  limit_req zone=ttlsa_com burst=5;
 }
}

The limit averages no more than one request per second and allows no more than 5 requests exceeding the frequency limit.
If you do not want more than a request to be deferred, you can use the Nodelay parameter, such as:

Limit_req zone=ttlsa_com burst=5 Nodelay;

Two. Full instance configuration

HTTP {
 limit_req_zone $binary _remote_addr zone=ttlsa_com:10m rate=1r/s;
 
 server {
 location ^~/download/{ 
 limit_req zone=ttlsa_com burst=5;
 alias/data/www.ttlsa.com/download/
  }}
 }

There may be some IP restrictions that need to be used to whitelist. List settings See the following documents, I will organize a copy for the reader's reference. Please focus.