nginx flow control

Rate limiting, which can be used to limit the number of HTTP requests by users in a given time. Traffic restrictions can be used for security purposes, such as slowing down the rate of violent password cracking. It can also be used to resist DDOS attacks. More commonly, this function is used to protect the upstream application server from being overwhelmed by too many user requests at the same time.

1. How Nginx limits current

Nginx's "flow limit" uses the leaky bucket algorithm, which is like a leaky bucket with a bucket opening pouring water and a bucket bottom leaking water. If the rate of pouring water at the mouth of the bucket is greater than the rate of leakage at the bottom of the bucket, the water in the bucket will overflow; Similarly, in terms of request processing, water represents the request from the client, the bucket represents the request queue waiting to be processed according to the "first in first out scheduling algorithm" (FIFO), the water leaked from the bucket bottom represents the request leaving the buffer to be processed by the server, and the water overflowed from the bucket mouth represents the request discarded and not processed.

2. Configure basic current limiting

"Flow limit" configures two main instructions, limit_req_zone and limit_req, as follows:

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s;
        upstream myweb {
                server 10.0.105.196:80 weight=1 max_fails=1 fail_timeout=1;
                }
        server {
                listen 80;
                server_name localhost;
​
                location /login {
                        limit_req zone=mylimit;
                        proxy_pass http://myweb;
                        proxy_set_header Host $host:$server_port;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        }
        }
10.0.105.196 to configure:
server {
        listen 80;
        server_name localhost;
        location /login {
                root    /usr/share/nginx/html;
                index   index.html index.html;
                }
}

limit_req_ The zone instruction sets the parameters of traffic limit and memory area, but it does not actually limit the request rate. So you need to add limit_ The req command enables traffic restriction and applies it to a specific location or server block. (in the example, for all requests for "/ login /").

limit_ req_ The zone instruction is usually defined in an HTTP block so that it can be used in multiple contexts. It requires the following three parameters:

  • Key - defines the request characteristics of application restrictions. The Nginx variable $binary in the example_ remote_ Addr, which saves the binary form of the client IP address.
  • Zone - defines the area of memory used to store the status of each IP address and the frequency of restricted request URL access. Use zone=keyword to identify the name of the region (customized), and the size of the region followed by a colon. The status information of 16000 IP addresses needs about 1MB.
  • Rate - connection request. In the example, the rate cannot exceed 1 request per second.

4. Error code sent to client

Generally, when the client exceeds the configured traffic limit, the Nginx response status code is 503(Service Temporarily Unavailable). You can use limit_req_status instruction to set to other status codes (for example, 404 status codes below):

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s;
    upstream myweb {
            server 10.0.105.196:80 weight=1 max_fails=1 fail_timeout=1;
        }
    server {
            listen 80;
            server_name localhost;
        
            location /login {
            limit_req zone=mylimit;
            limit_req_status 404;
                    proxy_pass http://myweb;
                        proxy_set_header Host $host:$server_port;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    }
    }

18. nginx access control

1. nginx access control module

(1) IP based access control: http_access_module (2) login based on user trust: http_auth_basic_module

2. IP based access control

1. Configuration syntax

Syntax: allow address | CIDR | unix: | all;
default: Default none
Context: http,server,location
​
Syntax: deny address | CIDR | unix: | all;
default: Default none
Context: http,server,location
===================================================
allow    allow     //ip or network segment
deny    refuse     //ip or network segment

2. Configuration test

Edit / etc / nginx / conf.d/access_ mod. The contents of conf are as follows:

[root@192 ~]# vim /etc/nginx/conf.d/access_mod.conf
server {
        listen 80;
        server_name localhost;
        location  / {
                root /usr/share/nginx/html;
                index index.html index.hml;
                deny 192.168.1.8;
                allow all;
                }
}
[root@192 ~]# nginx -t
[root@192 ~]# nginx -s reload
​
#Note:
1.Match in order, which has been matched ip Or network segment, which is no longer matched.
2.If you allow all ip Access, access denied in the definition. Then the denial of access does not take effect.
3.Default to allow all

The host IP is 192.168.1.8 and the virtual machine IP is 192.168.1.11, so the host access is prohibited here and all other IP access is allowed. Host access http://192.168.1.11 , 403 Forbidden is displayed. Of course, it can also be configured reversely. At the same time, the configuration mode of IP network segment can also be used, such as allow 192.168.1.0/24;, Indicates that all IP addresses that meet this network segment can be accessed.

3. The specified location rejects all requests

If you want to reject all requests for a specified URL address, you only need to configure the deny all instruction in the location block:

[root@192 ~]# vim /etc/nginx/conf.d/access_mod.conf
server {
        listen 80;
        server_name localhost;
        location  / {
                root /usr/share/nginx/html;
                index index.html index.hml;
                deny all;    #Reject all
                }
}
​
[root@192 ~]# nginx -t
[root@192 ~]# nginx -s reload

3. User based trust login

(2) User based trust login module: http_auth_basic_module

Sometimes we have such a demand that some pages of your website do not want to be made public. What we want is that some specific clients can access it. Then we can ask for identity authentication during the visit, such as adding a lock to your own door to refuse those uninvited guests.

1. Configuration syntax

Syntax: auth_basic string | off;
default: auth_basic off;
Context: http,server,location
​
Syntax: auth_basic_user_file file;
default: Default none
Context: http,server,location
file: A file that stores user name and password information.

2. Configuration example

[root@192 ~]# vim /etc/nginx/conf.d/auth_mod.conf 
server {
    listen 80;
    server_name localhost;
    location ~ /admin {
        root /var/www/html;
        index index.html index.hml;
        auth_basic "Auth access test!";
        auth_basic_user_file /etc/nginx/auth_conf;
        }
}
​
[root@192 ~]# nginx -t
[root@192 ~]# nginx -s reload
[root@192 ~]# mkdir /var/www/html    #Create directory
[root@192 ~]# vim /var/www/html/index.html    #create a file

auth_ If basic is not off, enable login verification function, auth_basic_user_file loads the account password file.

3. Create password file

[root@192 ~]# yum install -y httpd-tools #htpasswd is a command tool of the open source http server apache httpd, which is used to generate the password file of http basic authentication
[root@192 ~]# htpasswd -cm /etc/nginx/auth_conf user10 # -c create decrypted file, -m MD5 encrypt
[root@192 ~]# htpasswd -m /etc/nginx/auth_conf user20
[root@192 ~]# cat /etc/nginx/auth_conf 
user10:$apr1$MOa9UVqF$RlYRMk7eprViEpNtDV0n40
user20:$apr1$biHJhW03$xboNUJgHME6yDd17gkQNb0

4. Access test

Posted by jrinco11 on Wed, 11 May 2022 01:11:15 +0300