Yadda Ake Iya Iyakance Yawan Haɗi (Buƙatun) a cikin NGINX


NGINX yana jigilar kayayyaki tare da kayayyaki daban-daban don ba da damar masu amfani don sarrafa zirga-zirga zuwa gidajen yanar gizon su, aikace-aikacen yanar gizo, da sauran albarkatun yanar gizo. Ɗaya daga cikin mahimman dalilai na iyakance zirga-zirga ko shiga shine don hana cin zarafi ko hare-haren wasu nau'o'in kamar hare-haren DoS (Denial of Service).

Akwai manyan hanyoyi guda uku na iyakance amfani ko zirga-zirga a cikin NGINX:

  1. Takaita adadin haɗin (buƙatun).
  2. Kayyade adadin buƙatun.
  3. Ƙayyadadden bandwidth.

Abubuwan da ke sama na NGINX hanyoyin tafiyar da zirga-zirgar zirga-zirga, dangane da yanayin amfani za a iya saita su don iyakance bisa maƙasudin maɓalli, mafi yawanci shine adireshin IP na abokin ciniki. NGINX kuma yana goyan bayan wasu masu canji kamar kuki na zama da ƙari mai yawa.

A cikin wannan kashi na farko na jerin sassa uku, za mu tattauna yadda ake iyakance adadin haɗin kai a cikin NGINX don kiyaye gidajen yanar gizonku/ aikace-aikacenku.

  • Yadda Ake Iya Iyakanta Adadin Haɗi (Buƙatun) a cikin NGINX - Part 1
  • Yadda Ake Iya Iyakanta Yawan Haɗi (Buƙatun) a cikin NGINX - Kashi na 2
  • Yadda Ake Iya Iyakance Amfani da Bandiddigar Kiɗa a cikin NGINX – Kashi na 3

Ka tuna cewa NGINX zai yi la'akari da haɗin kai don iyakancewa kawai idan yana da buƙatar da uwar garken ke sarrafa shi kuma an riga an karanta dukan buƙatun buƙatun. Saboda haka, ba duk haɗin abokin ciniki ba ne ake ƙidaya.

Iyakance Yawan Haɗi a cikin NGINX

Da farko, kuna buƙatar ayyana yankin ƙwaƙwalwar ajiyar da aka raba wanda ke adana ma'aunin haɗi don maɓalli daban-daban, ta amfani da umarnin limit_conn_zone. Kamar yadda aka ambata a baya, maɓalli na iya zama rubutu, mai canzawa kamar adireshin IP mai nisa na abokin ciniki, ko haɗin biyun.

Wannan umarnin wanda yake aiki a cikin mahallin HTTP yana ɗaukar sigogi biyu: maɓalli da yanki (a cikin tsarin zone_name: size).

limit_conn_zone $binary_remote_addr zone=limitconnbyaddr:20m;

Don saita lambar matsayin amsa da aka mayar zuwa buƙatun da aka ƙi, yi amfani da umarnin limit_conn_status wanda ke ɗaukar lambar matsayin HTTP azaman siga. Yana aiki a cikin HTTP, uwar garken, da mahallin wuri.

limit_conn_status 429;

Don iyakance haɗi, yi amfani da umarnin limint_conn don saita yankin ƙwaƙwalwar ajiya da za a yi amfani da shi da matsakaicin adadin haɗin haɗin da aka yarda kamar yadda aka nuna a cikin snippet mai zuwa. Wannan umarnin yana aiki a cikin HTTP, uwar garken, da mahallin wuri.

limit_conn   limitconnbyaddr  50;

Ga cikakken tsari:

upstream api_service {
    server 127.0.0.1:9051;
    server 10.1.1.77:9052;
}
limit_conn_zone $binary_remote_addr zone=limitconnbyaddr:20m;
limit_conn_status 429;

server {
    listen 80;
    server_name testapp.linux-console.net;
    root /var/www/html/testapp.linux-console.net/build;
    index index.html;

    limit_conn   limitconnbyaddr  50;

    #include snippets/error_pages.conf;
    proxy_read_timeout 600;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    location / {
        try_files $uri $uri/ /index.html =404 =403 =500;
    }
    location /api {
        proxy_pass http://api_service;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

Ajiye fayil ɗin kuma rufe shi.

Sannan duba idan tsarin NGINX yana da kyau ta hanyar aiwatar da umarni mai zuwa:

$ sudo nginx -t

Na gaba, sake shigar da sabis na NGINX don aiwatar da canje-canjen kwanan nan:

$ sudo systemctl reload nginx

Duba Iyakar Haɗin Nginx

Lokacin da abokin ciniki ya wuce iyakar adadin haɗin haɗin da aka yarda, NGINX yana mayar da kuskuren \429 da yawa ga abokin ciniki kuma ya yi rajistar shigarwa kamar wadda ke ƙasa a cikin fayil ɗin rajistar kuskure:

2022/03/15 00:14:00 [error] 597443#0: *127 limiting connections by zone "limitconnbyaddr", client: x.x.x.x, server: testapp.tecmimt.com, request: "GET /static/css/main.63fdefff.chunk.css.map HTTP/1.1", host: "testapp.tecmimt.com"

Iyakance Nginx Adadin Haɗi zuwa Aikace-aikace

Hakanan zaka iya iyakance adadin haɗin haɗi don uwar garken da aka ba da ita ta amfani da m $server_name:

upstream api_service {
    server 127.0.0.1:9051;
    server 10.1.1.77:9052;
}
limit_conn_zone $server_name zone=limitbyservers:10m;
limit_conn_status 429;

server {
    listen 80;
    server_name testapp.linux-console.net;
    root /var/www/html/testapp.linux-console.net/build;
    index index.html;

     limit_conn  limitbyservers  2000;

    #include snippets/error_pages.conf;
    proxy_read_timeout 600;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    location / {
        try_files $uri $uri/ /index.html =404 =403 =500;
    }
    location /api {
        proxy_pass http://api_service;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

Wannan saitin yana ba NGINX damar iyakance adadin haɗin kai zuwa uwar garken kama-da-wane da ke ƙarfafa aikace-aikacen testapp.linux-console.net, zuwa haɗin kai 2000.

Lura: Ƙayyadaddun haɗin kai dangane da IP na abokin ciniki yana da ƙasa. Kuna iya ƙarewa ta iyakance haɗin kai don mai amfani fiye da ɗaya kawai, musamman idan yawancin masu amfani da ke shiga aikace-aikacenku suna kan hanyar sadarwa ɗaya kuma suna aiki a bayan NAT - duk haɗin su zai samo asali daga adireshin IP iri ɗaya.

A cikin irin wannan yanayin, zaku iya amfani da ɗaya ko fiye masu canji da ake samu a cikin NGINX waɗanda zasu iya gano abokin ciniki a matakin aikace-aikacen, misali shine kuki na zaman.

Hakanan kuna iya son labarai masu alaƙa da Nginx masu zuwa:

  • Yadda ake Ƙirƙirar Shafi na Kuskuren Custom 404 a cikin NGINX
  • Yadda Ake Sarrafa Samun Shiga Dangane da Adireshin IP na Abokin Ciniki a NGINX
  • Yadda ake cache abun ciki a cikin NGINX
  • Yadda ake kunna HTTP/2.0 a cikin Nginx
  • Yadda ake amfani da Nginx azaman ma'aunin Load na HTTP a cikin Linux

Shi ke nan a yanzu! A cikin sashe na gaba na wannan jerin, za mu tattauna wata dabarar sarrafa zirga-zirga mai amfani a cikin NGINX - iyakance ƙimar buƙatun. Har zuwa lokacin, zauna tare da mu.