2、访问控制配置示例,只允许谁能访问,其他全部拒绝
1. [root@Web01 code]# cat /etc/nginx/conf.d/module.conf 2. server { 3. listen 80; 4. server_name module.koten.com; 5. access_log off; 6. 7. location /nginx_status { 8. stub_status; 9. allow 10.0.0.1/24; 10. allow 127.0.0.1; 11. deny all; 12. } 13. } 14. [root@Web01 code]# systemctl restart nginx 15. 16. [root@Web02 code]# tail -1 /etc/hosts #修改hosts解析 17. 10.0.0.7 module.koten.com 18. [root@Web02 code]# curl -s module.koten.com/nginx_status 19. Active connections: 2 20. server accepts handled requests 21. 56 56 55 22. Reading: 0 Writing: 1 Waiting: 1
二、Nginx基于用户登录认证
1、安装httpd-tools,该包中携带了httpasswd命令
[root@Web01 ~]# yum -y install httpd-tools
2、创建新的密码文件,-c创建新文件,-b允许命令行输入密码
1. [root@Web01 ~]# htpasswd -b -c /etc/nginx/auth_conf koten 1 2. Adding password for user koten
3、Nginx配置调用
1. [root@Web01 ~]# cat /etc/nginx/conf.d/module.conf 2. server { 3. listen 80; 4. server_name module.koten.com; 5. access_log off; 6. 7. location /nginx_status { 8. stub_status; 9. auth_basic "请输入账号和密码!"; 10. auth_basic_user_file auth_conf; 11. } 12. } 13. [root@Web01 ~]# systemctl restart nginx
访问限制模块
企业中经常会遇到服务器流量异常,负载过大的情况,对于大流量恶意的攻击访问,会带来宽带的
浪费,会影响业务,我们往往考虑对同一个IP的连接数,请求数进行限制。
ngx_http_limit_conn_module模块可以根据定义的key来限制每个键值的连接数,如同一个IP来源的连接数。
limit_conn_module连接频率限制
limit_req_module请求频率限制
一、Nginx连接限制配置示例
1、Nginx配置文件使用模块
1. [root@Web01 ~]# cat /etc/nginx/nginx.conf |grep limit 2. limit_conn_zone $remote_addr zone=conn_zone:10m; #放在http中 3. [root@Web01 ~]# cat /etc/nginx/conf.d/wordpress.conf |grep limit 4. limit_conn conn_zone 1; #放在server中 5. [root@Web01 ~]# systemctl restart nginx
2、ab工具进行压力测试
1. [root@Web01 ~]# tail -1 /etc/hosts 2. 10.0.0.7 blog.koten.com 3. [root@Web01 ~]# yum -y install httpd-tools 4. [root@Web01 ~]# ab -n 20 -c 2 http://blog.koten.com/
3、查看Nginx报错日志
1. [root@Web01 ~]# tail -10 /var/log/nginx/error.log 2. 2023/05/11 22:29:45 [error] 96196#96196: *58 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 3. 2023/05/11 22:29:45 [error] 96196#96196: *59 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 4. 2023/05/11 22:29:45 [error] 96196#96196: *60 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 5. 2023/05/11 22:29:45 [error] 96196#96196: *61 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 6. 2023/05/11 22:29:45 [error] 96196#96196: *62 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 7. 2023/05/11 22:29:45 [error] 96196#96196: *63 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 8. 2023/05/11 22:29:45 [error] 96196#96196: *64 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 9. 2023/05/11 22:29:45 [error] 96196#96196: *65 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 10. 2023/05/11 22:29:45 [error] 96196#96196: *66 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 11. 2023/05/11 22:29:45 [error] 96196#96196: *67 limiting connections by zone "conn_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
二、Nginx请求限制配置实战
1、修改Nginx配置文件,重启Nginx,ab压力测试
1. # http标签段定义请求限制, rate限制速率,限制一秒钟最多一个IP请求 2. http { 3. limit_req_zone $binary_remote_addr zone=req_zone:10m rate=1r/s; 4. } 5. 6. server { 7. listen 80; 8. server_name blog.koten.com; 9. root /code/wordpress; 10. index index.php index.html index.htm; 11. 12. location ~\.php$ { 13. root /code/wordpress; 14. fastcgi_pass 127.0.0.1:9000; 15. fastcgi_index index.php; 16. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 17. fastcgi_param HTTPS on; 18. include fastcgi_params; 19. } 20. # 1r/s只接收一个请求,其余请求拒绝处理并返回错误码给客户端 21. #limit_req zone=req_zone; 22. 23. # 请求超过1r/s,剩下的将被延迟处理,请求数超过burst定义的数量, 多余的请求返回503 24. limit_req zone=req_zone burst=3 nodelay; 25. } 26. [root@Web01 ~]# systemctl restart nginx 27. [root@Web01 ~]# ab -n 20 -c 2 http://blog.koten.com/
2、查看Nginx报错日志
1. [root@Web01 ~]# tail -10 /var/log/nginx/error.log 2. 2023/05/11 22:39:46 [error] 99013#99013: *77 limiting requests, excess: 3.919 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 3. 2023/05/11 22:39:46 [error] 99013#99013: *78 limiting requests, excess: 3.919 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 4. 2023/05/11 22:39:46 [error] 99013#99013: *79 limiting requests, excess: 3.918 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 5. 2023/05/11 22:39:46 [error] 99013#99013: *80 limiting requests, excess: 3.918 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 6. 2023/05/11 22:39:46 [error] 99013#99013: *81 limiting requests, excess: 3.917 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 7. 2023/05/11 22:39:46 [error] 99013#99013: *82 limiting requests, excess: 3.917 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 8. 2023/05/11 22:39:46 [error] 99013#99013: *83 limiting requests, excess: 3.917 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 9. 2023/05/11 22:39:46 [error] 99013#99013: *84 limiting requests, excess: 3.905 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 10. 2023/05/11 22:39:46 [error] 99013#99013: *85 limiting requests, excess: 3.905 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com" 11. 2023/05/11 22:39:46 [error] 99013#99013: *86 limiting requests, excess: 3.904 by zone "req_zone", client: 10.0.0.7, server: blog.koten.com, request: "GET / HTTP/1.0", host: "blog.koten.com"
3、Nginx请求限制重定向
在Nginx请求限制的过程中,我们可以自定义一个返回值,也就是错误页面的状态码。
默认情况下是503
1、修改默认返回状态码为478
1. [root@Web01 ~]# cat /etc/nginx/conf.d/wordpress.conf 2. server { 3. listen 80; 4. server_name blog.koten.com; 5. root /code/wordpress; 6. index index.php index.html index.htm; 7. 8. location ~\.php$ { 9. root /code/wordpress; 10. fastcgi_pass 127.0.0.1:9000; 11. fastcgi_index index.php; 12. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 13. fastcgi_param HTTPS on; 14. include fastcgi_params; 15. } 16. limit_req zone=req_zone burst=3 nodelay; 17. limit_req_status 478 18. } 19. 20. #访问后查看日志发现状态码变为478 21. [root@Web01 ~]# cat /var/log/nginx/access.log|grep 478 22. 10.0.0.7 - - [11/May/2023:22:53:58 +0800] "GET / HTTP/1.0" 478 130 "-" "ApacheBench/2.3" "-"
2、重定向报错页面
1. [root@Web01 ~]# cat /etc/nginx/conf.d/wordpress.conf 2. server { 3. listen 80; 4. server_name blog.koten.com; 5. root /code/wordpress; 6. index index.php index.html index.htm; 7. 8. location ~\.php$ { 9. root /code/wordpress; 10. fastcgi_pass 127.0.0.1:9000; 11. fastcgi_index index.php; 12. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 13. fastcgi_param HTTPS on; 14. include fastcgi_params; 15. } 16. limit_req zone=req_zone burst=3 nodelay; 17. limit_req_status 478; 18. error_page 478 /err.html; 19. } 20. [root@Web01 ~]# cat /code/wordpress/err.html 21. <img style='width:100%;height:100%;' src=https://img.zcool.cn/community/01da295b2749baa8012034f792b59f.jpg@1280w_1l_2o_100sh.jpg>
Nginx请求限制比连接限制更有效
首先HTTP是建立在TCP基础之上,在完成HTTP请求需要先建立TCP三次握手(称为TCP连接),在连接的基础上在完成HTTP的请求。所以多个HTTP请求可以建立在一次TCP连接之上, 那么我们对请求的精度限制,当然比对一个连接的限制会更加的有效,因为同一时刻只允许一个TCP连接进入, 但是同一时刻多个HTTP请求可以通过一个TCP连接进入。所以针对HTTP的请求限制才是比较优的解决方案。
Nginx请求限制如何做
如果作为代理服务器,我们需要限制每个用户的请求速度和链接数量,但是,由于一个页面有多个子资源,如果毫无选择的都进行限制,那就会出现很多不必要的麻烦,如:一个页面有40个子资源,那么如果想让一个页面完整的显示,就需要将请求速度和连接数都调整到40,以此达到不阻塞用户正常请求,而这个限制,对服务器性能影响很大,几百用户就能把一台nginx的处理性能拉下来。
所以我们需要制定哪些请求是需要进行限制的,如html页面;哪些是不需要限制的,如css、js、图片等,这样就需要通过配置对应的location进一步细化。不对css、js、gif、png,jpg等进行连接限制,对除此之外的链接进行限制。
我是koten,10年运维经验,持续分享运维干货,感谢大家的阅读和关注!
