Nginx to the same IP speed limit

Nginx through Limit_conn_zone and Limit_req_zone to the same IP address limit flow, to prevent ddos/cc and flood attacks, such articles online more, but limit_req_ The principle of burst leaky barrel in zone is very few and clearly stated.

Limit_conn_zone is to limit the number of connections to the same IP, and once the connection is established, the client sends multiple requests through the connection, and Limit_req_zone is limiting the frequency and speed of the request.

First look at limiting the number of connections, the HTTP configuration in Nginx is as follows:

Limit_conn_zone $binary _remote_address zone=addr:10m;

The server segment of the Nginx is then configured as follows:

Limit_conn addr 2;

Although the two lines are not configured together, they are linked by addr the variable name. You can make concurrent connection restrictions on a directory or a specified suffix, such as. html or. jpg, because the number of different resource connections is different, the number of concurrent numbers for the primary. html file is two, but there are multiple jpg/gif resources on an HTML page, so concurrency two is definitely not enough, You need to increase the number of connections, but not too large.

With the limit of the number of connections, which limits the number of channels between the client browser and the Nginx, then the browser through the pipeline transport request, as to water pipes, the flow and pressure on the other end of the pipeline has an impact. To prevent untrusted clients from frantically sending requests through this pipeline, the constant bombardment of our CPU-consuming resource URLs must be limited to the speed of the request, as is the current speed limit.

In the HTTP segment configuration of nginx.conf:

Limit_req_zone $binary _remote_addr zone=one:10m rate=5r/s;

Server segment configuration in nginx.conf

Limit_req Zone=one burst=10;

The introduction of the burst leaky bucket principle, combined with the rate rate of 5 requests per second (RATE=5R/S) is explained as follows: RATE=5R/S: 5 requests per second from a single IP address are allowed, burst=10: No more than 10 requests exceeding the frequency rate limit When more than 5 requests per second, however, the request under 10, that is, the number of requests per second between 5 and 10 will be delayed delay, although there is no written delay, default is latency, because the vulnerability is actually similar to queue queues or message systems, when the number of requests per second exceeds the minimum rate of 5 per second, Extra requests will be queued for entry into this queue. Like airport security, put 5, more than 5, less than 10 queue waiting, note: This queue or vulnerability is in per second if the number of requests per second more than 10, that is, burst limit, then also do not queue directly rebuffed, return 503 HTTP. That means the queue length cannot exceed 10.

The use of the default delay is the way of the queue for a page if a lot of resources need to load, then through the queuing delay loading will undoubtedly impact on the server small, and prevent the attacker to make a lot of requests for the same resource.

If we use Nodelay:

Limit_req Zone=one burst=10 Nodelay;

This means that if the request is completed as soon as 5-10 per second, that is, 10 per second rate, more than 15 10+5 per second will return 503 immediately, so nodelay actually no delay, also canceled queue waiting for transition.

In large web sites such as Twitter Facebook, where there is a huge amount of traffic, a message queue, such as Apache Kafka, is used to queue a large number of requests, so for small and medium Web sites, it is recommended to use the delay scheme. Instead of stating Nodelay, the other articles on the web are almost always recommended nodelay.

The last bandwidth limit, as follows:

Limit_rate 50k;limit_rate_after 500k;

The current load is larger than 500k, with a 50K rate limit per second.