Kong基于QPS、IP限流

04-06 1395阅读

Rate Limiting限流插件

https://docs.konghq.com/hub/kong-inc/rate-limiting/

它可以针对consumer ,credential ,ip ,service,path,header 等多种维度来进行限流.流量控制的精准度也有多种方式可以参考,比如可以做到秒级,分钟级,小时级等限流控制.

Kong基于QPS、IP限流
(图片来源网络,侵删)

基于IP限流

源码地址: kong/kong/plugins/ip-restriction/handler.lua at master · Kong/kong · GitHub

local lrucache = require "resty.lrucache"
local ipmatcher = require "resty.ipmatcher"
local kong_meta = require "kong.meta"
local error = error
local kong = kong
local log = kong.log
local ngx_var = ngx.var
local IPMATCHER_COUNT = 512
local IPMATCHER_TTL   = 3600
local cache = lrucache.new(IPMATCHER_COUNT)
local IpRestrictionHandler = {
  PRIORITY = 990,
  VERSION = kong_meta.version,
}
local isempty
do
  local tb_isempty = require "table.isempty"
  isempty = function(t)
    return t == nil or tb_isempty(t)
  end
end
local function do_exit(status, message)
  status = status or 403
  message = message or
            string.format("IP address not allowed: %s", ngx_var.remote_addr)
  log.warn(message)
  return kong.response.error(status, message)
end
local function match_bin(list, binary_remote_addr)
  local matcher, err
  matcher = cache:get(list)
  if not matcher then
    matcher, err = ipmatcher.new(list)
    if err then
      return error("failed to create a new ipmatcher instance: " .. err)
    end
    cache:set(list, matcher, IPMATCHER_TTL)
  end
  local is_match
  is_match, err = matcher:match_bin(binary_remote_addr)
  if err then
    return error("invalid binary ip address: " .. err)
  end
  return is_match
end
local function do_restrict(conf)
  local binary_remote_addr = ngx_var.binary_remote_addr
  if not binary_remote_addr then
    return do_exit(403,
                   "Cannot identify the client IP address, " ..
                   "unix domain sockets are not supported.")
  end
  local deny = conf.deny
  if not isempty(deny) then
    local blocked = match_bin(deny, binary_remote_addr)
    if blocked then
      return do_exit(conf.status, conf.message)
    end
  end
  local allow = conf.allow
  if not isempty(allow) then
    local allowed = match_bin(allow, binary_remote_addr)
    if not allowed then
      return do_exit(conf.status, conf.message)
    end
  end
end
function IpRestrictionHandler:access(conf)
  return do_restrict(conf)
end
function IpRestrictionHandler:preread(conf)
  return do_restrict(conf)
end
return IpRestrictionHandler
VPS购买请点击我

文章版权声明:除非注明,否则均为主机测评原创文章,转载或复制请以超链接形式并注明出处。

相关阅读

目录[+]