Phpnginx limits the number of ip requests and the number of concurrent requests

: This article describes how to limit the number of ip requests and the number of concurrent requests in phpnginx. For more information about PHP tutorials, see. How to set a limit on the number of accesses of an IP address in a certain period of time is a headache, especially in the face of malicious ddos attacks. Among them, Challenge Collapsar is a type of DDOS (distributed denial of service) and a common website attack method, attackers send a large number of packets to the victim host through proxy servers or bots, causing the other server to run out of resources until the host crashes. Cc attacks generally use a limited number of ip addresses to frequently send data to servers for attack purposes, nginx can use the HttpLimitReqModul and HttpLimitZoneModule configurations to limit the number of accesses of ip addresses within the same period of time to prevent cc attacks. HttpLimitReqModul is used to limit the number of connections per unit time. it can be used in combination with the limit_req_zone and limit_req commands. If the number of concurrent connections exceeds the specified value, the system returns Error 503. HttpLimitConnModul is used to limit the number of concurrent connections of a single ip address. The difference between the two modules using the limit_zone and limit_conn commands is that the number of connections within a period of time is limited, and the latter is the number of connections at the same time.

HttpLimitReqModul limits the number of workers of the same ip address in a certain period of time.

Http {... # define a limit_req_zone named allips to store the session, with a memory size of 10 MB. # Use $ binary_remote_addr as the key and limit the average number of requests per second to 20. #16000 statuses can be stored at 1 MB, the rete value must be an integer. # if a request is limited to two seconds, you can set it to 30r/m limit_req_zone $ binary_remote_addr zone = allips: 10 m rate = 20r/s ;... server {... location {... # limit the number of requests per ip address per second to no more than 20, and the number of missing buckets is 5 # brust means that if there are 19 requests in 1st S, 2, 3, and 4 S, #25 requests within 5th seconds are allowed. # However, if you have 25 requests in 1st seconds and 2nd errors are returned for requests over 20 in 503 seconds. # Nodelay: If this option is not set, the average rate is strictly used to limit the number of requests. # if there are 25 requests in 1st seconds, five requests are placed for execution in 2nd seconds. # set nodelay, 25 requests will be executed in 1st seconds. Limit_req zone = allips burst = 5 nodelay ;...}...}...}

HttpLimitZoneModule

Limit_zone can only be defined in the http scope, and limit_conn can be defined in the http server location scope.

Http {... # define a limit_zone named one with a memory size of 10 Mb to store sessions, # Use $ binary_remote_addr as the key # After nginx 1.18, use limit_conn_zone to replace limit_conn # and only place it in the http scope limit_conn_zone one $ binary_remote_addr 10 m ;... server {... location {... limit_conn one 20; # connection count limit # bandwidth limit. for a single connection limit, if one ip address is used for two connections, is 500x2 k limit_rate 500 k ;...}...}...}

Nginx whitelist settings

The above configuration will limit all ip addresses. sometimes we do not want to restrict Spider search engines or test their own ip addresses,
We can use geo commands to implement specific whitelist ip addresses.
1.

http{     geo $limited{        default 1;        #google         64.233.160.0/19 0;        65.52.0.0/14 0;        66.102.0.0/20 0;        66.249.64.0/19 0;        72.14.192.0/18 0;        74.125.0.0/16 0;        209.85.128.0/17 0;        216.239.32.0/19 0;        #M$        64.4.0.0/18 0;        157.60.0.0/16 0;        157.54.0.0/15 0;        157.56.0.0/14 0;        207.46.0.0/16 0;        207.68.192.0/20 0;        207.68.128.0/18 0;        #yahoo        8.12.144.0/24 0;        66.196.64.0/18 0;        66.228.160.0/19 0;        67.195.0.0/16 0;        74.6.0.0/16 0;        68.142.192.0/18 0;        72.30.0.0/16 0;        209.191.64.0/18 0;        #My IPs        127.0.0.1/32 0;        123.456.0.0/28 0; #example for your server CIDR    }

The geo command defines a whitelist variable $ limited. the default value is 1. if the client ip address is in the preceding range, the value of $ limited is 0.

2. map the ip address of the search engine client using the map command. if it is not a search engine, the real ip address is displayed. in this way, the search engine ip address cannot be stored in the memory session of limit_req_zone, therefore, it does not limit the access of search engine ip addresses.

Map $ limited $ limit {
1 $ binary_remote_addr;
0 "";
}

3. set limit_req_zone and limit_req.
Limit_req_zone $ limit z rate = 10r/m;

Limit_req z burst = 5;

Finally, we use the AB pressure php-fpm method to test the effectiveness of the above method.

Example 1: only one ip address can be allowed to access 60 times per minute, that is, an average of 1 times per second.
First, prepare a php script and put it in the root directory $ document_root.
Test. php

Nginx configuration addedlimit_req_zoneAndlimit_req

http{    ...    limit_req_zone $binary_remote_addr zone=allips:10m rate=60r/m;    ...    server{        ...        location {            ...            limit_req zone=allips;            ...        }        ...    }    ...}

AB-n 5-c 1 http://www.weizhang.org/test.php

118.144.94.193--[22/Dec/2012: 06: 27: 06 + 0000] "GET/test. php HTTP/1.0" 200 11000 "-" "apacheworkflow/2.3"
118.144.94.193--[22/Dec/2012: 06: 27: 06 + 0000] "GET/test. php HTTP/1.0" 503 537 "-" "apacheworkflow/2.3"
118.144.94.193--[22/Dec/2012: 06: 27: 07 + 0000] "GET/test. php HTTP/1.0" 503 537 "-" "apacheworkflow/2.3"
118.144.94.193--[22/Dec/2012: 06: 27: 07 + 0000] "GET/test. php HTTP/1.0" 503 537 "-" "apacheworkflow/2.3"
118.144.94.193--[22/Dec/2012: 06: 27: 07 + 0000] "GET/test. php HTTP/1.0" 503 537 "-" "apacheworkflow/2.3"

If brust and nodelay are not set, you can see that this configuration only allows one access per second. if the request exceeds the limit, the system returns Error 503.

http{    ...    limit_req_zone $binary_remote_addr zone=allips:10m rate=60r/m;    ...    server{        ...        location {            ...            limit_req zone=allips burst=1 nodelay;            ...        }        ...    }    ...}

AB-n 5-c 1 http://www.weizhang.org/test.php

118.144.94.193--[22/Dec/2012: 07: 01: 00 + 0000] "GET/test. php HTTP/1.0" 200 11000 "-" "apacheworkflow/2.3"
118.144.94.193--[22/Dec/2012: 07: 01: 00 + 0000] "GET/test. php HTTP/1.0" 200 11000 "-" "apacheworkflow/2.3"
118.144.94.193--[22/Dec/2012: 07: 01: 01 + 0000] "GET/test. php HTTP/1.0" 503 537 "-" "apacheworkflow/2.3"
118.144.94.193--[22/Dec/2012: 07: 01: 01 + 0000] "GET/test. php HTTP/1.0" 503 537 "-" "apacheworkflow/2.3"
118.144.94.193--[22/Dec/2012: 07: 01: 01 + 0000] "GET/test. php HTTP/1.0" 503 537 "-" "apacheworkflow/2.3"

After brust = 1 and nodelay are set, two requests can be processed within 1st seconds.

The above describes the limit on the number of ip requests and the number of concurrent requests in php nginx, including the content, and hope to help friends who are interested in PHP tutorials.