http_limit_zone_module模块
The ngx_http_limit_conn_module module is used to limit the number of connections per the defined key, in particular, the number of connections from a single IP address.
Not all connections are counted. A connection is counted only if it has a request being processed by the server and the whole request header has already been read.Example Configuration:
http { limit_conn_zone $binary_remote_addr zone=addr:10m; ... server { ... location /download/ { limit_conn addr 1; }
本模块可以针对条件,进行会话的并发连接数控制。(例如:限制每个IP的并发连接数。)当nginx服务器作为资源服务器为用户提供使用时候,限制用户同时发起的并发连接数是一个非常常用的功能。
$binary_remote_addr二进制格式IP地址
通过reaip模块去取到用户真实IP,根据真实IP再去做客户端的并发连接数限制。
你可以注意到了,在这里使用的是 $binary_remote_addr 而不是 $remote_addr。$remote_addr 的长度为 7 至 15 bytes,会话信息的长度为 32 或 64 bytes。而 $binary_remote_addr 的长度为 4 bytes,会话信息的长度为 32 bytes。当区的大小为 1M 的时候,大约可以记录 32000 个会话信息(一个会话占用 32 bytes)。如果共享内存空间被耗尽,服务器将会对后续所有的请求返回 503 (Service Temporarily Unavailable) 错误。
limit_conn_zone |limit_conn 语法规则(IPV4下只有4个字节)
这里使用的zone就是全部worker进程共享的内存,number就是可以允许多少个并发连接数,这些并发连接数是根据什么来定的呢?是根据key,这个key往往是取值于用户的IP地址,也就是$binary_remote_addr。
limit_conn_zone key zone=name:size;
key: 限制的指标
zone=name:size 设置zone的名字name和空间大小size
context: http
eg: limit_conn_zone $binary_remote_addr zone=conn_zone:1m
创建一个名叫conn_zone的空间,用于存储客户端ip,空间大小1m
| Syntax: | limit_conn_zone |
|---|---|
| Default: | — |
| Context: | http |
Sets parameters for a shared memory zone that will keep states for various keys. In particular, the state includes the current number of connections. The key can contain text, variables, and their combination. Requests with an empty key value are not accounted.Usage example:
limit_conn_zone $binary_remote_addr zone=addr:10m;
Here, a client IP address serves as a key. Note that instead of $remote_addr, the $binary_remote_addr variable is used here. The $remote_addr variable’s size can vary from 7 to 15 bytes. The stored state occupies either 32 or 64 bytes of memory on 32-bit platforms and always 64 bytes on 64-bit platforms. The $binary_remote_addr variable’s size is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses. The stored state always occupies 32 or 64 bytes on 32-bit platforms and 64 bytes on 64-bit platforms. One megabyte zone can keep about 32 thousand 32-byte states or about 16 thousand 64-byte states. If the zone storage is exhausted, the server will return the error to all further requests.
limit_conn zone名字 number;
number : 设置一个频度
context : http, server, location
eg: limit_conn conn_zone 1 空间内每个ip的同一时刻连接频度一次
| Syntax: | limit_conn |
|---|---|
| Default: | — |
| Context: | http, server, location |
Sets the shared memory zone and the maximum allowed number of connections for a given key value. When this limit is exceeded, the server will return the error in reply to a request. For example, the directives
limit_conn_zone $binary_remote_addr zone=addr:10m; server { location /download/ { limit_conn addr 1; }
allow only one connection per an IP address at a time.
There could be several limit_conn directives. For example, the following configuration will limit the number of connections to the server per a client IP and, at the same time, the total number of connections to the virtual server:
limit_conn_zone $binary_remote_addr zone=perip:10m; limit_conn_zone $server_name zone=perserver:10m; server { ... limit_conn perip 10; limit_conn perserver 100; }
限制发生时候日志级别以及错误码
limit_conn_log_level用来确定当我们限制用户并发连接的时候要打印日志的级别。默认是error级别,可以将其设置的小一些limit_conn_log_level warn,这样当我们的nginx流量非常大的时候,可以让这样的日志不打印到error日志中来减少I/O。
当达到用户并发度的时候要向客户端返回状态码。默认返回的是503,这个值可以根据你的需要来修改。
limit_conn_zone测试如下
limit_conn_zone $binary_remote_addr zone=addr:10m; --这条加入http指令块中
server {
root /usr/local/nginx/html/;
error_log logs/myerror.log info;
location = /index.html{
index index.html;
limit_conn_status 500; --定义向用户返回的错误码是500
limit_conn_log_level warn; --将默认的error改为了warn减少日志量
limit_rate 50; --限制向用户返回的速度,每秒只返回50个字节,也是为了好演示客户端超过并发连接数的场景
limit_conn addr 1; --限制同时并发的连接数为1,这里是为了好演示客户端超过并发数,只要有两个客户端同时访问,就会返回500
}[root@www logs]# curl 192.168.179.99 --在两个终端同时执行这条命令,可以看到第一个终端客户端达到了并发量被nginx直接返回状态码500(触发了限制并发连接数的功能)
<html>
<head><title>500 Service Temporarily Unavailable</title></head>
<body>
<center><h1>500 Service Temporarily Unavailable</h1></center>
<hr><center>nginx/1.16.1</center>
</body>
</html>
[root@www ~]# curl 192.168.179.99 --在另外一个终端执行
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>[root@www logs]# tail -100f myerror.log --在日志当中可以看到
2020/04/22 23:10:27 [error] 74610#0: *2 limiting requests, excess: 0.155 by zone "one", client: 192.168.179.99, server: , request: "GET / HTTP/1.1", host: "192.168.179.99"
2020/04/22 23:10:30 [error] 74610#0: *3 limiting requests, excess: 0.043 by zone "one", client: 192.168.179.99, server: , request: "GET / HTTP/1.1", host: "192.168.179.99"
2020/04/22 23:10:34 [info] 74610#0: *2 client 192.168.179.99 closed keepalive connection
2020/04/22 23:10:37 [info] 74610#0: *3 client 192.168.179.99 closed keepalive connection
2020/04/22 23:10:49 [info] 74610#0: *4 client 192.168.179.99 closed keepalive connection
2020/04/22 23:14:31 [error] 74610#0: *6 limiting requests, excess: 0.855 by zone "one", client: 192.168.179.99, server: , request: "GET / HTTP/1.1", host: "192.168.179.99"
2020/04/22 23:14:38 [info] 74610#0: *6 client 192.168.179.99 closed keepalive connection
2020/04/22 23:14:43 [info] 74610#0: *5 client 192.168.179.99 closed keepalive connection
948
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
