【运维知识进阶篇】集群架构-Nginx常用模块（目录索引+状态监控+访问控制+访问限制）（下）

2023-08-10 73

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

本文涉及的产品

访问控制，不限时长

简介： 【运维知识进阶篇】集群架构-Nginx常用模块（目录索引+状态监控+访问控制+访问限制）（下）

2、访问控制配置示例，只允许谁能访问，其他全部拒绝

1. [root@Web01 code]# cat /etc/nginx/conf.d/module.conf
2. server {
3.     listen 80;
4.     server_name module.koten.com;
5. access_log off;
6. 
7. location /nginx_status {
8.         stub_status;
9.  allow 10.0.0.1/24;
10.   allow 127.0.0.1;
11.   deny all;
12.     }
13. }
14. [root@Web01 code]# systemctl restart nginx
15. 
16. [root@Web02 code]# tail -1 /etc/hosts    #修改hosts解析
17. 10.0.0.7 module.koten.com
18. [root@Web02 code]# curl -s module.koten.com/nginx_status
19. Active connections: 2
20. server accepts handled requests
21. 56 56 55
22. Reading: 0 Writing: 1 Waiting: 1

二、Nginx基于用户登录认证

1、安装httpd-tools，该包中携带了httpasswd命令

[root@Web01 ~]# yum -y install httpd-tools

2、创建新的密码文件，-c创建新文件，-b允许命令行输入密码

1. [root@Web01 ~]# htpasswd -b -c /etc/nginx/auth_conf koten 1
2. Adding password for user koten

3、Nginx配置调用

1. [root@Web01 ~]# cat /etc/nginx/conf.d/module.conf 
2. server {
3.     listen 80;
4.     server_name module.koten.com;
5. access_log off;
6. 
7. location /nginx_status {
8.         stub_status;
9.         auth_basic "请输入账号和密码！";
10.         auth_basic_user_file auth_conf;
11.     }
12. }
13. [root@Web01 ~]# systemctl restart nginx

访问限制模块

企业中经常会遇到服务器流量异常，负载过大的情况，对于大流量恶意的攻击访问，会带来宽带的

浪费，会影响业务，我们往往考虑对同一个IP的连接数，请求数进行限制。

ngx_http_limit_conn_module模块可以根据定义的key来限制每个键值的连接数，如同一个IP来源的连接数。

limit_conn_module连接频率限制

limit_req_module请求频率限制

一、Nginx连接限制配置示例

1、Nginx配置文件使用模块

1. [root@Web01 ~]# cat /etc/nginx/nginx.conf |grep limit
2. limit_conn_zone $remote_addr zone=conn_zone:10m;    #放在http中
3. [root@Web01 ~]# cat /etc/nginx/conf.d/wordpress.conf |grep limit
4. limit_conn conn_zone 1;                             #放在server中
5. [root@Web01 ~]# systemctl restart nginx

2、ab工具进行压力测试

1. [root@Web01 ~]# tail -1 /etc/hosts
2. 10.0.0.7 blog.koten.com
3. [root@Web01 ~]# yum -y install httpd-tools
4. [root@Web01 ~]# ab -n 20 -c 2  http://blog.koten.com/

3、查看Nginx报错日志

1. [root@Web01 ~]# tail -10 /var/log/nginx/error.log
2. 2023/05/11 22:29:45 [error] 96196#96196: *58 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
3. 2023/05/11 22:29:45 [error] 96196#96196: *59 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
4. 2023/05/11 22:29:45 [error] 96196#96196: *60 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
5. 2023/05/11 22:29:45 [error] 96196#96196: *61 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
6. 2023/05/11 22:29:45 [error] 96196#96196: *62 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
7. 2023/05/11 22:29:45 [error] 96196#96196: *63 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
8. 2023/05/11 22:29:45 [error] 96196#96196: *64 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
9. 2023/05/11 22:29:45 [error] 96196#96196: *65 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
10. 2023/05/11 22:29:45 [error] 96196#96196: *66 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
11. 2023/05/11 22:29:45 [error] 96196#96196: *67 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"

二、Nginx请求限制配置实战

1、修改Nginx配置文件，重启Nginx，ab压力测试

1. # http标签段定义请求限制, rate限制速率，限制一秒钟最多一个IP请求
2. http {
3. limit_req_zone $binary_remote_addr zone=req_zone:10m rate=1r/s;
4. }
5. 
6. server {
7.  listen 80;
8.  server_name blog.koten.com;
9.  root /code/wordpress;
10.   index index.php index.html index.htm;
11. 
12.   location ~\.php$ {
13.     root /code/wordpress;
14.     fastcgi_pass 127.0.0.1:9000;
15.     fastcgi_index index.php;
16.     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
17.                 fastcgi_param HTTPS on;
18.     include fastcgi_params;
19.   }
20.     # 1r/s只接收一个请求,其余请求拒绝处理并返回错误码给客户端
21.     #limit_req zone=req_zone;
22. 
23.     # 请求超过1r/s,剩下的将被延迟处理,请求数超过burst定义的数量, 多余的请求返回503
24. limit_req zone=req_zone burst=3 nodelay;
25. }
26. [root@Web01 ~]# systemctl restart nginx
27. [root@Web01 ~]# ab -n 20 -c 2  http://blog.koten.com/

2、查看Nginx报错日志

1. [root@Web01 ~]# tail -10 /var/log/nginx/error.log
2. 2023/05/11 22:39:46 [error] 99013#99013: *77 limiting requests, excess: 3.919 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
3. 2023/05/11 22:39:46 [error] 99013#99013: *78 limiting requests, excess: 3.919 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
4. 2023/05/11 22:39:46 [error] 99013#99013: *79 limiting requests, excess: 3.918 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
5. 2023/05/11 22:39:46 [error] 99013#99013: *80 limiting requests, excess: 3.918 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
6. 2023/05/11 22:39:46 [error] 99013#99013: *81 limiting requests, excess: 3.917 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
7. 2023/05/11 22:39:46 [error] 99013#99013: *82 limiting requests, excess: 3.917 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
8. 2023/05/11 22:39:46 [error] 99013#99013: *83 limiting requests, excess: 3.917 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
9. 2023/05/11 22:39:46 [error] 99013#99013: *84 limiting requests, excess: 3.905 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
10. 2023/05/11 22:39:46 [error] 99013#99013: *85 limiting requests, excess: 3.905 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
11. 2023/05/11 22:39:46 [error] 99013#99013: *86 limiting requests, excess: 3.904 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"

3、Nginx请求限制重定向

在Nginx请求限制的过程中，我们可以自定义一个返回值，也就是错误页面的状态码。

默认情况下是503

1、修改默认返回状态码为478

1. [root@Web01 ~]# cat /etc/nginx/conf.d/wordpress.conf
2. server {
3.  listen 80;
4.  server_name blog.koten.com;
5.  root /code/wordpress;
6.  index index.php index.html index.htm;
7. 
8.  location ~\.php$ {
9.    root /code/wordpress;
10.     fastcgi_pass 127.0.0.1:9000;
11.     fastcgi_index index.php;
12.     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
13.                 fastcgi_param HTTPS on;
14.     include fastcgi_params;
15.   }
16.   limit_req zone=req_zone burst=3 nodelay;
17.   limit_req_status 478
18. }
19. 
20. #访问后查看日志发现状态码变为478
21. [root@Web01 ~]# cat /var/log/nginx/access.log|grep 478
22. 10.0.0.7 - - [11/May/2023:22:53:58 +0800] "GET / HTTP/1.0" 478 130 "-" "ApacheBench/2.3" "-"

2、重定向报错页面

1. [root@Web01 ~]# cat /etc/nginx/conf.d/wordpress.conf 
2. server {
3.  listen 80;
4.  server_name blog.koten.com;
5.  root /code/wordpress;
6.  index index.php index.html index.htm;
7. 
8.  location ~\.php$ {
9.    root /code/wordpress;
10.     fastcgi_pass 127.0.0.1:9000;
11.     fastcgi_index index.php;
12.     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
13.                 fastcgi_param HTTPS on;
14.     include fastcgi_params;
15.   }
16.   limit_req zone=req_zone burst=3 nodelay;
17.   limit_req_status 478;
18.   error_page 478 /err.html;
19. }
20. [root@Web01 ~]# cat /code/wordpress/err.html
21. <img style='width:100%;height:100%;' src=https://img.zcool.cn/community/01da295b2749baa8012034f792b59f.jpg@1280w_1l_2o_100sh.jpg>

Nginx请求限制比连接限制更有效

首先HTTP是建立在TCP基础之上,在完成HTTP请求需要先建立TCP三次握手（称为TCP连接）,在连接的基础上在完成HTTP的请求。所以多个HTTP请求可以建立在一次TCP连接之上, 那么我们对请求的精度限制，当然比对一个连接的限制会更加的有效，因为同一时刻只允许一个TCP连接进入, 但是同一时刻多个HTTP请求可以通过一个TCP连接进入。所以针对HTTP的请求限制才是比较优的解决方案。

Nginx请求限制如何做

如果作为代理服务器，我们需要限制每个用户的请求速度和链接数量，但是，由于一个页面有多个子资源，如果毫无选择的都进行限制，那就会出现很多不必要的麻烦，如：一个页面有40个子资源，那么如果想让一个页面完整的显示，就需要将请求速度和连接数都调整到40，以此达到不阻塞用户正常请求，而这个限制，对服务器性能影响很大，几百用户就能把一台nginx的处理性能拉下来。

所以我们需要制定哪些请求是需要进行限制的，如html页面；哪些是不需要限制的，如css、js、图片等，这样就需要通过配置对应的location进一步细化。不对css、js、gif、png，jpg等进行连接限制，对除此之外的链接进行限制。

我是koten，10年运维经验，持续分享运维干货，感谢大家的阅读和关注！