测试环境
此处使用的yum安装的Nginx路径。
此处域名均在本地配置hosts。
主配置文件
路径:/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
子配置文件
路径:/etc/nginx/conf.d/wangmingqu.conf
server {
listen 80;
server_name wang.wangmingqu.com;
charset utf-8;
location / {
root /www/wangmingqu/;
index index.html index.htm;
}
}
测试数据
mkdir -p /www/wangmingqu/
echo "王茗渠测试页面" > /www/wangmingqu/index.html
Nginx访问限制–基于请求频率限制
功能作用
主要用途
限制用户访问的频率,合理配置可以减少恶意攻击。
模块名称:ngx_http_limit_req_module
配置范围
http标签下定义请求频率限制规则,server的location标签下引用规则。
启动请求频率限制
- 启动请求频率限制前压测
#安装压测工具
yum -y install httpd-tools
#启动请求频率限制前压测
ab -n 100 -c 10 http://192.168.131.129/
#格式:ab -n 发起的请求个数 -c 分几次请求 协议://压测的地址或域名/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $> #压测工具的版本
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.131.129 (be patient).....done
Server Software: nginx/1.25.3 #被压测的服务器软件版本
Server Hostname: 192.168.131.129 #被压测的服务器地址
Server Port: 80 #被压测的服务器端口
Document Path: / #申请压测的路径
Document Length: 679 bytes #申请压测的字节大小
Concurrency Level: 10 #并发的级别
Time taken for tests: 0.012 seconds #请求的耗时
Complete requests: 100 #完成的请求数
Failed requests: 0 #失败的请求数
Write errors: 0 #写入错误的请求数
Total transferred: 80100 bytes #总传输字节大小
HTML transferred: 67900 bytes #HTML传输的字节大小
Requests per second: 8203.45 [#/sec] (mean) #每秒可处理的请求数
Time per request: 1.219 [ms] (mean) #每个请求消耗的时长
Time per request: 0.122 [ms] (mean, across all concurrent requests)
Transfer rate: 6416.95 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.1 0 0
Processing: 0 1 0.4 1 4
Waiting: 0 1 0.3 1 3
Total: 0 1 0.4 1 4
Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 1
80% 1
90% 1
95% 1
98% 2
99% 4
100% 4 (longest request)
- 开启请求频率限制
路径:/etc/nginx/conf.d/wangmingqu.conf
limit_req_zone $binary_remote_addr zone=req_zon:10m rate=1r/s;
server {
listen 80;
server_name wang.wangmingqu.com;
charset utf-8;
location / {
root /www/wangmingqu/;
index index.html index.htm;
limit_req zone=req_zone;
}
}
解释规则与引用
- 规则格式与解释:
- “limit_req_zone $binary_remote_addr zone=规则名称:空间大小 流速限制;”
- limit_req_zone:定义请求频率限制规则;
- $binary_remote_addr:远程的二进制地址作为参照;
- zone=req_zon:10m:定义规则的名称,并定义用户请求使用的空间大小;
- rate=1r/s:定义流水限制,允许每秒请求的次数;
- 引用格式与解释:
- “limit_req zone=规则名称;”
- limit_req:定义引用规则的关键字;
- zone=req_zone:指定使用的规则名称;
- 启动请求频率限制后压测
ab -n 100 -c 10 http://192.168.131.129/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.131.129 (be patient).....done
Server Software: nginx/1.25.3
Server Hostname: 192.168.131.129
Server Port: 80
Document Path: /
Document Length: 679 bytes
Concurrency Level: 10
Time taken for tests: 0.011 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Total transferred: 80100 bytes
HTML transferred: 67900 bytes
Requests per second: 9384.38 [#/sec] (mean)
Time per request: 1.066 [ms] (mean)
Time per request: 0.107 [ms] (mean, across all concurrent requests)
Transfer rate: 7340.71 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.1 0 0
Processing: 0 1 0.3 1 2
Waiting: 0 1 0.2 1 2
Total: 1 1 0.3 1 2
Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 1
80% 1
90% 1
95% 1
98% 2
99% 2
100% 2 (longest request)
Nginx访问限制–基于连接个数限制
功能作用
主要用途
限制用户访问次数,合理配置可以减少恶意攻击。
模块名称:ngx_http_limit_conn_module
配置范围
启动连接次数限制
开启请求频率限制
路径:/etc/nginx/conf.d/wangmingqu.conf
limit_conn_zone $binary_remote_addr zone=conn_zone:10m;
server {
listen 80;
server_name wang.wangmingqu.com;
charset utf-8;
location / {
root /www/wangmingqu/;
index index.html index.htm;
limit_conn conn_zone 1;
}
}
解释规则与引用
- 规则格式与解释:
- “limit_conn_zone $binary_remote_addr zone=规则名称:空间大小;”
- limit_conn_zone:定义请求次数限制规则;
- $binary_remote_addr:远程的二进制地址作为参照;
- zone=conn_zone:10m:定义规则的名称,并定义用户请求使用的空间大小;
- 引用格式与解释:
- “limit_conn 规则名称 TCP连接个数;”
Nginx访问控制–基于IP访问控制
功能作用
主要用途
基于IP的访问控制,可以设置黑白名单,允许或阻止某个、某些IP访问。
模块名称:ngx_http_access_module
配置范围
可以配置http、server、location标签;
http标签中配置,表示全局设置;
server标签中配置,表示网站设置;
location标签中配置,表示某个匹配设置;
启动IP访问控制
路径:/etc/nginx/conf.d/wangmingqu.conf
server {
listen 80;
server_name wang.wangmingqu.com;
charset utf-8;
allow 192.168.131.1;
deny all;
location / {
root /www/wangmingqu/;
index index.html index.htm;
}
}
访问截图
拦截日志
2024/01/17 01:33:55 [error] 32484#32484: *16 access forbidden by rule, client: 192.168.131.129, server: wang.wangmingqu.com, request: "GET / HTTP/1.1", host: "wang.wangmingqu.com"
规则解释
- allow:运行访问的地址,即白名单;
- deny:禁止访问的地址,即黑名单;
- 192.169.1.101:表示单个地址;
- 192.169.1.0/24:表示一个网段;
- 如果同一网段中有几段连续地址,需要一个一个的写;
- 编辑规则:禁止所有,允许个别;允许所有,禁止个别;
Nginx访问控制–基于用户访问控制
功能作用
主要用途
基于用户访问控制,可以让需要登录的用户账号密码登录。
模块名称:ngx_http_auth_basic_module
配置范围
可以配置在http、server、location标签下。
http标签中配置,表示全局设置;
server标签中配置,表示网站设置;
location标签中配置,表示某个匹配设置;
启动用户访问控制
- 建立认证文件
#安装httpd-tools工具
yum -y install httpd-tools
#创建用户及密码
htpasswd -cm /etc/nginx/conf.d/.passwd wangmingqu
#增加用户及密码
htpasswd -m /etc/nginx/conf.d/.passwd changmengka
#查看生成的用户及密码
cat /etc/nginx/conf.d/.passwd
- 启动认证
路径:/etc/nginx/conf.d/wangmingqu.conf
server {
auth_basic "账号密码登录"; #认证提示信息
auth_basic_user_file /etc/nginx/conf.d/.passwd; #认证文件信息
listen 80;
server_name wang.wangmingqu.com;
charset utf-8;
location / {
root /www/wangmingqu/;
index index.html index.htm;
}
}
- 验证访问
nginx -t
systemctl reload nginx
账号密码验证
登录完成后页面展示
