+ +

openresty限频

+ +
+

Openresty安装并限频

+
+

内核调参
安装Openresty
加载lua脚本实现限频
nginx配置文件
vhosts 示例
测试

+
+

内核调参

openresty版本:openresty-1.19.9.1
机器规格: 8c16g
内核参数修改并生效: cat /etc/sysctl.conf && sysctl -p
sysctl.conf
fs.file-max = 1577138
vm.swappiness = 0
kernel.sysrq = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 50000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_synack_retries = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.netfilter.nf_conntrack_max = 524288
net.nf_conntrack_max = 524288
net.core.netdev_max_backlog = 50000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65000

+

安装Openresty

源码编译,nginx二进制文件;
#下载openrestry,对应apt安装的版本
wget –no-check-certificate https://openresty.org/download/openresty-1.19.9.1.tar.gz

+

#下载nginx_upstream_check_module模块
wget –no-check-certificate https://github.com/yaoweibin/nginx_upstream_check_module/archive/v0.3.0.tar.gz

+

tar -xf openresty-1.19.9.1.tar.gz
tar -xf v0.3.0.tar.gz
cp -r nginx_upstream_check_module-0.3.0/ openresty-1.19.9.1/bundle/

+

#更新源
apt-get update
#安装编译需要依赖
sudo apt install make gcc libpcre3 libpcre3-dev openssl libssl-dev zlib1g-dev libgeoip-dev

+

编译

cd openresty-1.19.9.1/

+

sudo ./configure –prefix=/usr/local/openresty –with-cc-opt=’-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include’ –with-ld-opt=’-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib’ –add-module=./bundle/nginx_upstream_check_module-0.3.0/ –with-pcre-jit –with-stream –with-stream_ssl_module –with-stream_ssl_preread_module –with-http_v2_module –without-mail_pop3_module –without-mail_imap_module –without-mail_smtp_module –with-http_stub_status_module –with-http_realip_module –with-http_addition_module –with-http_auth_request_module –with-http_secure_link_module –with-http_random_index_module –with-http_gzip_static_module –with-http_sub_module –with-http_dav_module –with-http_flv_module –with-http_mp4_module –with-http_gunzip_module –with-threads –with-stream –with-http_ssl_module –with-http_geoip_module

+

sudo make
sudo make install

+

mkdir -p /usr/local/nginx/conf-openresty.d
mkdir -p /usr/local/nginx/vhosts
cp /usr/local/openresty/nginx/conf/mime.types /usr/local/nginx/mime.types

+

指定nginx配置文件

/usr/local/openresty/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf #(依照机器具体nginx配置)
加载lua脚本实现限频
lua脚本和lua限频率配置压缩包 https://www.jxhs.me/data/2024-06-23/openresty-lua.tar.gz

+
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
配置文件目录:/usr/local/openresty/nginx/config
application.json
rules/frequency_limit.json
rules/filter.json
tar -zxvf openresty-lua.tar.gz -C /usr/local/openresty/nginx/
cd /usr/local/openresty/nginx/config/rules/
vim frequency_limit.json
[
{
"enable": true,
"matchers": {
"URL": {
"operator": "≈",
"value": "api-test.test.com/info"
}
},
"count": "6", # 6次访问次数
"time": "1", # 1s
"limit_items": ["ip"]
}
]
+

nginx配置文件

+
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
nginx主配置文件
user ubuntu;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;

error_log /app/logs/nginx/error.log warn;

events {
worker_connections 50240;
use epoll;
}

http {
include mime.types;
default_type application/octet-stream;

log_format main '{'
'"time_local": "$time_local",'
'"remote_addr": "$remote_addr",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_x_amzn_trace_id": "$http_x_amzn_trace_id",'
'"host": "$host",'
'"server_port": "$server_port",'
'"status": "$status",'
'"request_time": "$request_time",'
'"upstream_connect_time": "$upstream_connect_time",'
'"upstream_header_time": "$upstream_header_time",'
'"request": "$request",'
'"request_id": "$request_id",'
'"upstream_addr": "$upstream_addr",'
'"upstream_response_time": "$upstream_response_time",'
'"upstream_status": "$upstream_status",'
'"request_length": "$request_length",'
'"body_bytes_sent": "$body_bytes_sent",'
'"remote_user": "$remote_user",'
'"http_referer": "$http_referer",'
'"http_user_agent": "$http_user_agent"'
'}';

sendfile on;
send_timeout 30;

keepalive_timeout 75s;
keepalive_requests 20000;
gzip on;
gzip_min_length 1000;
gzip_buffers 4 8k;
gzip_comp_level 2;
gzip_http_version 1.1;
gzip_types text/css text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml application/xhtml+xml application/javascript application/json;

proxy_buffer_size 128k;
proxy_buffers 32 128k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_read_timeout 15s;
proxy_connect_timeout 3s;
# proxy_ignore_client_abort on;
client_max_body_size 120m;
client_body_buffer_size 120M;

server_tokens off;

geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_city /usr/share/GeoIP/GeoLiteCity.dat;


map $http_x_forwarded_for $RealIpFromForwarded {
"" $remote_addr;
~^.*?,?(?P<ipAddr>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$ $ipAddr;
}

map $http_x_connecting_ip $clientRealIp {
"" $RealIpFromForwarded;
~^.*?,?(?P<ipAddr>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$ $ipAddr;
}

server {
listen 80;
server_name localhost;

location / {
return 404;
}

location /health {
add_header Content-Type text/plain;
return 200 'ngx up!';
}        
location /nginx_status {
stub_status on;
allow 127.0.0.1; #only allow requests from localhost
deny all; #deny all other hosts
}    
}

include conf-openresty.d/*.conf;
include vhosts/*.conf;
}
+

nginx配置加载lua脚本

+
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# vim /usr/local/nginx/conf-openresty.d/in_http_block.conf

lua_package_path '/usr/local/openresty/nginx/lua/?.lua;;/usr/local/openresty/nginx/lua/module/?.lua;;/usr/local/openresty/nginx/lua/library/?.lua;;';
lua_package_cpath '/usr/local/openresty/nginx/lua/?.so;;';
lua_code_cache on;

lua_shared_dict frequency_limit 10m;
lua_shared_dict config 5m;
lua_shared_dict summary 20m;
lua_shared_dict status 10m;

init_by_lua_file /usr/local/openresty/nginx/lua/on_init.lua;
access_by_lua_file /usr/local/openresty/nginx/lua/on_access.lua;
rewrite_by_lua_file /usr/local/openresty/nginx/lua/on_rewrite.lua;
log_by_lua_file /usr/local/openresty/nginx/lua/on_log.lua;
+

vhosts 示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
vim /usr/local/nginx/vhosts/api-test.test.com.conf
server {
listen 80;
server_name api-test.test.com;

access_log /app/logs/nginx/api-test.test.com.access.log json;
error_log /app/logs/nginx/api-test.test.com.error.log error;

location / {
proxy_pass http://xx.xx.xx.xx:port;
}
location /info {
echo "123 $remote_addr";
}
}
+

测试

1.启动openresty

+
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nginx.service 
cat /lib/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/usr/local/openresty/nginx/logs/nginx.pid
ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf -t
ExecStart=/usr/local/openresty/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf
ExecReload=/usr/local/openresty/nginx/sbin/nginx -s reload
ExecStop=/usr/local/openresty/nginx/sbin/nginx -s stop
PrivateTmp=true
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
+

在另外一台服务器配置hosts做测试,模拟20个请求访问 http://api-test.test.com/info,在1s内超过6个的其他请求会返回 frequency limit 的网页信息并返回429的状态码
~$ sudo /usr/local/openresty/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf # 启动 openresty

+

在另外一台主机上测试,模拟20个请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
~$ for i in {1..20};do curl http://api-test.test.com/info;done
123 172.31.15.178
123 172.31.15.178
123 172.31.15.178
123 172.31.15.178
123 172.31.15.178
123 172.31.15.178
<!DOCTYPE html>
<html>
<body>
<h1>frequency limit</h1>
</body>
</html>
<!DOCTYPE html>
<html>
<body>
<h1>frequency limit</h1>
</body>
</html>
<!DOCTYPE html>
<html>
<body>
<h1>frequency limit</h1>
</body>
</html>
<!DOCTYPE html>
<html>
<body>
<h1>frequency limit</h1>
</body>
</html>
<!DOCTYPE html>
<html>
<body>
<h1>frequency limit</h1>
</body>
</html>
...
+

查看nginx日志,看到返回429 status code,符合预期

+ +
+
+
+ + +

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!

+ + +
+
+ + +
+ +
+ +
+ + +