Detailed explanation of Nginx http resource request limit (three methods)

Prerequisite: nginx needs to have the ngx_http_limit_conn_module and ngx_http_limit_req_module modules. You can use the command 2>&1 nginx -V | tr ' ' '\n'|grep limit to check whether there are corresponding modules. If not, recompile and install these two modules.

Test version: nginx version 1.15+

Limit the number of links

1. Use the limit_conn_zone directive to define the key and set the parameters of the shared memory zone (the worker processes will use this zone to share a counter for the key value). The first argument specifies the expression to be evaluated as the key. The second parameter, zone, specifies the name of the zone and its size:

limit_conn_zone $binary_remote_addr zone=addr:10m;

2. Use the limit_conn directive in the location {} , server {} or http {} context to apply the limit. The first argument is the shared memory zone name set above, and the second argument is the number of connections allowed for each key:

location /download/ {
 limit_conn addr 1;
}

When using the $binary_remote_addr variable as a parameter, the restriction is based on the IP address. You can also use the $server_name variable to limit the number of connections to a given server:

http {
 limit_conn_zone $server_name zone=servers:10m;

 server {
 limit_conn servers 1000;
 }
}

Limiting request rate

Rate limiting can be used to prevent DDoS, CC attacks, or to prevent an upstream server from being overwhelmed by too many requests at the same time. This method is based on the leaky bucket algorithm, where requests arrive at the bucket at various rates and leave the bucket at a fixed rate. Before using rate limiting, you need to configure the global parameters of the "leaky bucket":

• key - a parameter used to distinguish one client from another, usually a variable
• shared memory zone - the name and size of the zone that holds the state of these keys (i.e. the "leaky bucket")
• rate - the request rate limit specified in requests per second (r/s) or requests per minute (r/m) ("leaky bucket draining"). Requests per minute is used to specify a rate that is less than one request per second.

These parameters are set using the limit_req_zone directive. This directive is defined on http{} level - this approach allows to apply different zones and request overflow parameters to different contexts:

http {
 #...

 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
}

With this configuration, a shared memory zone named one with a size of 10m bytes will be created. This area holds the state of the client IP address set using the $binary_remote_addr variable. Note that $remote_addr also contains the client's IP address, while $binary_remote_addr holds the shorter binary representation of the IP address.

The optimal size of the shared memory area can be calculated using the following data: $binary_remote_addr The value size of an IPv4 address is 4 bytes, and the storage state on 64-bit platforms occupies 128 bytes. Therefore, the state information for approximately 16,000 IP addresses occupies 1M bytes of this area.

If storage space is exhausted when NGINX needs to add a new entry, the oldest entry is deleted. If the freed space is still insufficient to accommodate the new record, NGINX returns a 503 Service Unavailable status code, which can be redefined using the limit_req_status directive.

Once this zone is set, you can limit the request rate using the limit_req directive anywhere in the NGINX configuration, especially in the server {} , location {} , and http {} contexts:

http {
 #...

 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

 server {
 #...

 location /search/ {
  limit_req zone=one;
 }
 }
}

Using the above configuration, nginx will process no more than 1 request per second under the /search/ route, delaying these requests in such a way that the total rate is no greater than the set rate. NGINX will delay processing such requests until the "bucket" (shared bucket one) is full. For requests that reach the full bucket, NGINX responds with a 503 Service Unavailable error (when limit_req_status does not set a custom status code).

Limit bandwidth

To limit the bandwidth per connection, use the limit_rate directive:

location /download/ {
 limit_rate 50k;
}

With this setup, clients will be able to download content at speeds of up to 50k/sec over a single connection. However, a client can open multiple connections to bypass this limit. Therefore, if the goal is to prevent download speeds greater than a specified value, the number of connections should also be limited. For example, one connection per IP address (if using the shared memory zone specified above):

location /download/ {
 limit_conn addr 1;
 limit_rate 50k;
}

To impose limits only after the client has downloaded a certain amount of data, use the limit_rate_after directive. It might be reasonable to allow the client to quickly download a certain amount of data (e.g., the file header - the movie index) and limit the rate at which the rest of the data is downloaded (making the user watch the movie instead of downloading it).

limit_rate_after 500k;
limit_rate 20k;

The following example shows a combined configuration for limiting the number of connections and bandwidth. The maximum number of connections allowed is set to 5 connections per client address, which is suitable for most common cases, as modern browsers usually have a maximum of 3 connections open at a time. Also, only one connection is allowed to the location where the download is provided:

http {
 limit_conn_zone $binary_remote_address zone=addr:10m

 server {
 root /www/data;
 limit_conn addr 5;

 location / {
 }

 location /download/ {
  limit_conn addr 1;
  limit_rate_after 1m;
  limit_rate 50k;
 }
 }
}

The content is translated from the nginx request restriction part of the document, with a slight adjustment of the semantics.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.