Yadda ake Iyakaita Bandwidth Network a cikin Sabar Yanar Gizo ta NGINX
A baya can, a cikin tsarin tafiyar da zirga-zirgar mu na NGINX da jerin tsare-tsaren tsaro, mun tattauna yadda za a iyakance ƙimar buƙatun (iyakance ƙimar da abokin ciniki zai iya yin buƙatun) don albarkatun yanar gizon ku.
Don tabbatar da cewa amfani da bandwidth na aikace-aikacen ba abokin ciniki ɗaya ne ke kashe shi ba, kuna buƙatar sarrafa saurin saukewa da saukarwa kowane abokin ciniki. Wannan babban kulawar tsaro na NGINX ne na yau da kullun akan hare-haren DoS (Kin Sabis) daga masu amfani da ƙeta waɗanda kawai ke ƙoƙarin cin zarafin aikin rukunin yanar gizon.
A cikin wannan kashi na uku na jerin, za mu yi bayanin yadda ake iyakance bandwidth na cibiyar sadarwa a cikin sabar gidan yanar gizon NGINX.
Ƙayyadadden bandwidth a cikin NGINX
Don iyakance bandwidth a cikin NGINX, yi amfani da umarnin limit_rate wanda ke iyakance adadin watsa martani ga abokin ciniki. Yana aiki a cikin HTTP, uwar garken, wuri, kuma idan sanarwa a cikin toshe wuri, kuma yana ƙayyadaddun ƙimar ƙimar mahallin da aka ba a cikin bytes a cikin sakan daya ta tsohuwa. Hakanan zaka iya amfani da m don megabytes ko g don gigabytes.
limit_rate 20k;
Wani umarnin da ke da alaƙa shine limit_rate_after, wanda ke ƙayyadad da cewa bai kamata a iyakance haɗin haɗin kai ba har sai an canza takamaiman adadin bayanai. Ana iya saita wannan umarnin a cikin HTTP, uwar garken, wuri, da \idan sanarwa a cikin toshe wuri.
limit_rate_after 500k;
Anan akwai ƙayyadaddun misali don iyakance abokin ciniki don zazzage abun ciki ta hanyar haɗi ɗaya a matsakaicin saurin kilobytes 20 a cikin daƙiƙa guda.
upstream api_service {
server 10.1.1.10:9051;
server 10.1.1.77:9052;
}
server {
listen 80;
server_name testapp.linux-console.net;
root /var/www/html/testapp.linux-console.net/build;
index index.html;
location / {
try_files $uri $uri/ /index.html =404 =403 =500;
}
location /api {
proxy_pass http://api_service;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /documents {
limit_rate 20k;
limit_rate_after 500k;
}
}
Da zarar kun ƙara saitunan da ake buƙata da aka bayyana a sama, adana canje-canje kuma rufe fayil ɗin. Bayan haka, bincika idan tsarin daidaitawa na NGINX daidai ne, kamar haka:
$ sudo nginx -t
Idan komai yayi daidai, sake loda sabis ɗin NGINX don aiwatar da sabbin canje-canje:
$ sudo systemctl reload nginx
Ƙayyadadden bandwidth da adadin Haɗi a cikin NGINX
Tare da daidaitawar da ke sama, abokin ciniki na iya buɗe haɗe-haɗe da yawa don haɓaka bandwidth. Don haka, ƙari ga haka, zaku iya iyakance haɗin kai kowane abokin ciniki ta amfani da siga kamar adireshin IP kamar yadda muka duba a baya.
Misali, zaku iya iyakance haɗi ɗaya akan kowane adireshin IP.
upstream api_service {
server 127.0.0.1:9051;
server 10.1.1.77:9052;
}
limit_conn_zone $binary_remote_addr zone=limitconnbyaddr:20m;
limit_conn_status 429;
server {
listen 80;
server_name testapp.linux-console.net;
root /var/www/html/testapp.linux-console.net/build;
index index.html;
location / {
try_files $uri $uri/ /index.html =404 =403 =500;
}
location /api {
limit_conn limitconnbyaddr 5;
proxy_pass http://api_service;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /documents {
limit_rate 50k;
limit_rate_after 500k;
limit_conn limitconnbyaddr 1;
}
}
Ƙayyadaddun Bandwidth Mai Sauƙi a cikin NGINX
A matsayin ƙimar siga zuwa umarnin limit_rate, zaku iya ƙididdige masu canji don iyakance bandwidth mai ƙarfi. Yana da amfani musamman a yanayin da yakamata a iyakance ƙimar gwargwadon wani yanayi.
A cikin wannan misali, muna amfani da toshe taswira. Ya ba ku damar ƙirƙirar sabon maɓalli wanda ƙimarsa ta dogara da ƙimar ɗaya ko fiye na asali masu canji ($sannu da $limit_rate) da aka ƙayyade a cikin sigar farko.
upstream api_service {
server 10.1.1.10:9051;
server 10.1.1.77:9052;
}
map $slow $limit_rate {
1 20k;
2 30k;
}
server {
listen 80;
server_name testapp.linux-console.net;
root /var/www/html/testapp.linux-console.net/build;
index index.html;
location / {
try_files $uri $uri/ /index.html =404 =403 =500;
}
location /api {
proxy_pass http://api_service;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /documents {
limit_rate $limit_rate;
limit_rate_after 500k;
}
}
Anan akwai wani misali na daidaitawa don kwatanta ƙayyadaddun iyaka na bandwidth a cikin NGINX. Wannan tsarin yana ba NGINX damar iyakance bandwidth dangane da sigar TLS. Umurnin limit_rate_after 512 yana nuna iyakacin adadin bayan an aika masu kai.
upstream api_service {
server 10.1.1.10:9051;
server 10.1.1.77:9052;
}
map $ssl_protocol $response_rate {
"TLSv1.1" 50k;
"TLSv1.2" 100k;
"TLSv1.3" 500k;
}
server {
listen 443 ssl;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /etc/ssl/testapp.crt;
ssl_certificate_key /etc/ssl/testapp.key;
location / {
limit_rate $response_rate; # Limit bandwidth based on TLS version
limit_rate_after 512;
proxy_pass http://api_service;
}
}
Wannan shine abin da muka samu a gare ku a cikin wannan ɓangaren jerin. Za mu ci gaba da ɗaukar ƙarin batutuwa game da sarrafa zirga-zirgar NGINX da sarrafa tsaro. Amma kamar yadda aka saba, zaku iya yin tambayoyi ko raba ra'ayoyinku akan wannan jagorar ta hanyar bayanin da ke ƙasa.
Magana: Jagorar sarrafa tsaro akan gidan yanar gizon NGINX.