Implementing access control and connection restriction based on Nginx

limit_conn_zone declares a zone space to record the connection status in order to limit the number.
zone is a space for storing connection status, which is stored in key-value pairs. Usually, the client address $binary_remote_addr is used as key to identify each connection.
When zone space is exhausted, 503(Service Temporarily Unavailable) .

Request limit limit_req_mudule

limit_req_mudule : HTTP request frequency limit. One TCP connection can establish multiple HTTP requests.
Configuration syntax:

user Set to use user worker_processes to increase the number of concurrent connections. Keep it consistent with the CPU. Set eight error_logs for eight cores. nginx error log pid. nginx service startup pid

worker_connections The maximum number of connections a process is allowed to handle use defines the kernel model used

root The path of the home page index The default page to visit on the home page error_page 500 502 503 504 /50x.html The 500 in front of the error page is **`http status code`**
systemctl restart nginx.service restart nginx
systemctl reload nginx.service restarts gently without shutting down the service

curl-v http://www.baidu.com >/dev/null #-v also displays status code and other information nginx -V #Displays nginx version and configuration file information

error.log (records the error status of processing http requests and the error status of nginx itself)
access.log (access status of each http request)

The zone here is also a space for storing connections.

Burst and Nodelay

burst and nodelay set a buffer and a strategy for delaying processing for concurrent requests.
First assume that there is the following zone configuration.

http {
 limit_req_zone $binan_remote_addr zone=req_zone:1m rate=10r/s;
}

Case 1: limit_req zone=req_zone;

• In the 1 second, 10 requests are sent and the response is normal.
• 13 requests are sent in the 1 second. The first 10 requests are responded normally, and the last 3 503(Service Temporarily Unavailable) .

Without brust and nodelay , rate=10r/s can only execute 10 requests per second, and more than 503 errors will be returned directly.

Case 2: limit_req zone=req_zone brust=5;

• In the 1 second, 10 requests are sent and the response is normal.
• In the 1 second, 13 requests are sent. The first 10 requests are responded to normally, and the last 3 requests are put into brust and wait for response.
• In the 1 second, 20 requests are sent. The first 10 requests are responded to normally. The next 5 requests are put into brust and wait for response. The last 5 requests return 503(Service Temporarily Unavailable) . In the 2 second, the 5 requests in brust are executed.
• In the first 1 , 20 requests are sent. The first 10 requests are responded normally, the next 5 requests are put into brust waiting for response, and the last 5 requests return 503(Service Temporarily Unavailable) . In the 2 second, 6 requests are sent, 5 requests in brust are executed, 5 requests are put into brust waiting for response, and the remaining 1 request returns 503(Service Temporarily Unavailable) .

When brust=5 is added but nodelay is not, there is a buffer with a capacity of 5 rate=10r/s , only 10 requests can be executed per second. The excess requests are put into the buffer. If the buffer is full, a 503 error is returned directly. The buffer will take out the request and respond in the next time period. If there are more requests coming in, it will continue to put them in the buffer. If there are too many, a 503 error will be returned.

Case 3: limit_req zone=req_zone brust=5 nodelay;

• In the 1 second, 10 requests are sent and the response is normal.
• In the first 1 , 13 requests were sent and 13 requests were responded to normally.
• 20 requests are sent in the 1 second. The first 15 requests are responded normally, and the last 5 503(Service Temporarily Unavailable) .
• In the first 1 , 20 requests are sent, the first 15 requests are responded to normally, and the last 5 requests return 503(Service Temporarily Unavailable) . In the 2 second, 6 requests are sent and responded to normally.

With brust=5 and nodelay , there is a buffer with a capacity of 5 , rate=10r/s 15 requests can be executed per second, 15=10+5 . More directly return 503 errors.

IP-based access control

http_ access_module: IP-based access control. Restrictions can be bypassed through a proxy. It protects against good guys but not bad guys.

Allow and deny will be placed in order, from top to bottom, to find the first matching rule and determine whether access is allowed, so all is usually placed last.

location / {
 deny 192.168.1.1;
 allow 192.168.1.0/24;
 allow 10.1.1.0/16;
 allow 2001:0db8::/32;
 deny all;
}

Access control based on user password

ht tp_auth_basic_module: Login based on file matching user password

The password file can be generated by htpasswd . htpasswd needs to be installed yum install -y httpd-tools .

# -c creates a new file, -b enters the password directly in the parameter $ htpasswd -bc /etc/nginx/conf.d/passwd user1 pw1
Adding password for user user1
$ htpasswd -b /etc/nginx/conf.d/passwd user2 pw2
Adding password for user user2
$ cat /etc/nginx/conf.d/passwd 
user1:$apr1$7v/m0.IF$2kpM9NVVxbAv.jSUvUQr01
user2:$apr1$XmoO4Zzy$Df76U0Gzxbd7.5vXE0UsE0

References

limit_conn_module

limit_req_mudule

http_access_module

http_auth_basic_module

Summarize

The above is what I introduced to you about access control and connection restriction based on Nginx. I hope it will be helpful to you. If you have any questions, please leave me a message and I will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!
If you find this article helpful, please feel free to reprint it and please indicate the source. Thank you!