Nginx Limited access rate and maximum concurrent connections module--limit (Protection against DDoS attacks)

There are two modules for restricting IP connections and concurrency:

Click the hyperlink below to view the official details of the corresponding module

• Limit_req_zone is used to limit the number of requests per unit of time, which is the rate limit

• limit_req_conn is used to limit the number of connections at the same time, the concurrency limit

HTTP {

Limit_req_zone $binary _remote_addr zone=one:100m rate=10r/m;

server {

.........................

.........................

Limit_req Zone=one burst=1 Nodelay;

......................

}

}

Rate=10r/m means that each address can only be requested 10 times per minute, that is, according to the token bucket principle burst=1 altogether has 1 tokens, and only 10 tokens are added per minute,
When 1 tokens are sent out, those requests will return 503.

A request that exceeds burst size after Nodelay will return 503 directly

If the field is not there, it causes a large number of TCP connection requests to wait.

http{
Limit_zone one $binary _remote_addr 10m;
Server
{
......
Limit_conn one 1;
......
}
}

The one here is to declare a limit_zone name ,$binary _remote_addr is the variable that replaces the $remore _addr , and 10m is the space for session state storage
Limit_conn One 1, limit the number of concurrent connections for clients to 1

Nginx_limit_req Introduction

I. Introduction of Nginx Restricted connection module

A) There are two restricted modules on Nginx one is limit_zone the other is Limie_req_zone, and two can limit the connection, but what is the difference?
Here's an explanation from the Nginx website.

b) Limit_req_zone
Limit frequency of connections from a client.
This module allows your to limit the number of requests for a given session, Oras a special case, with one address.
restriction done using leaky buckets.

c) Limit_zone
Limit simultaneous connections from a client.
This module makes it possible to limit the number of simultaneous connectionsfor the assigned session or as a special case , from one address.

d) in the literal sense, Lit_req_zone's function is to limit the user's connection frequency through the token bucket principle (this module allows you to limit the number of individual addresses to a specified session or special requests)
The Limit_zone function, however, is to limit the number of concurrent connections to a client. (This module can limit the number of concurrent connections for a specified session or special case of a single address.)
One is to limit the concurrent connection one is to limit the frequency of the connection, the surface does not seem to see what difference, then see the actual effect bar ~ ~ ~
Add these two parameters to my test machine below is my partial profile

e) http{
Limit_zone one $binary _remote_addr 10m;
#limit_req_zone $binary _remote_addr zone=req_one:10m rate=1r/s;
Server
{
......
Limit_conn one 1;
#limit_req Zone=req_one burst=120;
......
}
}

f) Explain Limit_zone one $binary _remote_addr 10m;
The one here is to declare a limit_zone name, $binary _remote_addr is the variable that replaces the $remore _addr, and 10m is the space for session state storage
Limit_conn One 1, limit the number of concurrent connections for clients to 1

Ii. two kinds of work of limit_zone

a) Limit_reqzone=one burst=10;

I. This is configured by default so that each request has a delay time,

Ii. Eg:limit_req_zone$binary_remote_addr zone=one:100m rate=10r/m;

Is that every minute there are 10 tokens for the user, according to the configuration of a, there will be a delay, each request time is 60/10, that each request time is 6s.

b) Limit_reqzone=one burst=10 nodelay;

I. Add Nodelay configuration, which is based on your network condition access, after a minute of access 10 times, the server directly returned 503.

Ii. Eg:imit_req_zone$binary_remote_addr zone=one:100m rate=10r/m;

Is that every minute there are 10 tokens for the user, according to the configuration of B, according to the network conditions to access the URL, if more than 10 tokens a minute, the server returns 503, waiting for the next minute to pick up the access token.

Rate=10r/m means that each address can only be requested 10 times per minute, that is, according to the token bucket principle burst=1 altogether has 1 tokens, and only 10 tokens are added per minute,
When 1 tokens are sent out, those requests will return 503.

A request that exceeds burst size after Nodelay is returned directly to 503 if no such field causes a large number of TCP connection requests to wait .

http{. #定义一个名为allips的limit_req_zone used to store session, size is 10M memory, #以 $binary _remote_addr to key, limit the average request per second to 20 , #1M能存储16000个状态, the value of Rete must be an integer, #如果限制两秒钟一个请求, can be set to 30r/m limit_req_zone $binary _remote_addr zone=allips:10m rate=000/ s; server{... location {... #限制每ip每秒不超过20个请求, the number of leaky barrels burst is 5 #brust的意思就是, as Fruit 1 seconds,2,3, the 4-second request is 19, #第5秒的请求为25个是被允许的.            # But if you have 25 requests in the first 1 seconds, the request for 2 seconds exceeds 20 returns a 503 error .            #nodelay, if this option is not set, the average rate limit request is strictly used, #第1秒25个请求时, 5 requests are placed in the first 2 seconds of execution, #设置nodelay, 25 requests will be executed at 1 seconds. Limit_req Zone=allips burst=5Nodelay;        ...        }    ...    } ...}

-------------------------------------------------------------------

Limit download speed:

{     limit_rate 128k;   } #如果想设置用户下载文件的前10m大小时不限速，大于10m后再以128kb/s限速可以增加以下配内容，修改nginx.conf文件location /download { limit_rate_after 10m; limit_rate 128k; } 

Nginx Limited access rate and maximum concurrent connections module--limit (Protection against DDoS attacks)