[转]nginx防刷limit 设置白名单(geo模块)
转:http://www.kuitao8.com/20131219/1814.shtml
Geo 模块
http {
includeconf/mime.types;
default_typeapplication/octet-stream;
geo$geo {
default default;
218.30.115.0/24 china_telecom;
202.106.182.0/24 china_unicom;
202.205.3.0/24 cernet;
}
Upstream default {
Server192.168.0.2:8080;
}
Upstream china_telecom {
Server192.168.0.3:8080;
}
Upstream china_unicom {
Server192.168.0.4:8080;
}
Upstream cernet {
Server192.168.0.5:8080;
}
Server {
listen 80;
server_name localhost;
location/ {
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_next_upstream error timeout http_503 http_502http_504;
proxy_pass http://$geo;
access_log /home/nginx_log/member_acc_log main;
error_log/home/nginx_log/member_err_log;
}
}
}
geo 指令
default:任何ip地址,相当于0.0.0.0/0
ranges:支持区间形式来指定ip段,该指令必须卸载geo配置环境的第一行。如:127.0.0.0-127.0.0.255
注:官方nginx 未找到白名单功能,只是全局负载均衡
Tengine nginx
geo 白名单配置
http {
include mime.types;
default_type application/octet-stream;
limit_req_zone $binary_remote_addr zone=one:3m rate=1r/m;
limit_req_zone $binary_remote_addr $uri zone=two:3m rate=1r/m;
limit_req_zone $binary_remote_addr $request_uri zone=three:3m rate=1r/m;
geo $white_ip {
#ranges;
default 0;
10.0.0.0/8 1;
192.168.0.0/16 2;
}
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
limit_req_whitelist geo_var_name=white_ip geo_var_value=1;
limit_req_whitelist geo_var_name=white_ip geo_var_value=2;
limit_req zone=one burst=2 nodelay;
limit_req zone=two burst=2 nodelay;
limit_req zone=three burst=2 nodelay;
index index.html index.htm;
}
}
}
表示白名单,要协同geo模块进行工作,其中geo_var_name表示geo模块设置的变量名,而geo_var_value表示geo模块设置的变量值。比如:
geo $white_ip {
ranges;
default 0;
127.0.0.1-127.0.0.255 1;
}
limit_req_whitelist geo_var_name=white_ipgeo_var_value=1;
上面表示ip127.0.0.1-127.0.0.255这个区间都会跳过limit_req的处理。