Kong基于QPS、IP限流

Rate Limiting限流插件

bash 复制代码
https://docs.konghq.com/hub/kong-inc/rate-limiting/

它可以针对consumer ,credential ,ip ,service,path,header 等多种维度来进行限流.流量控制的精准度也有多种方式可以参考,比如可以做到秒级,分钟级,小时级等限流控制.

基于IP限流

源码地址: kong/kong/plugins/ip-restriction/handler.lua at master · Kong/kong · GitHub

Lua 复制代码
local lrucache = require "resty.lrucache"
local ipmatcher = require "resty.ipmatcher"
local kong_meta = require "kong.meta"


local error = error
local kong = kong
local log = kong.log
local ngx_var = ngx.var


local IPMATCHER_COUNT = 512
local IPMATCHER_TTL   = 3600
local cache = lrucache.new(IPMATCHER_COUNT)


local IpRestrictionHandler = {
  PRIORITY = 990,
  VERSION = kong_meta.version,
}


local isempty
do
  local tb_isempty = require "table.isempty"

  isempty = function(t)
    return t == nil or tb_isempty(t)
  end
end


local function do_exit(status, message)
  status = status or 403
  message = message or
            string.format("IP address not allowed: %s", ngx_var.remote_addr)

  log.warn(message)

  return kong.response.error(status, message)
end


local function match_bin(list, binary_remote_addr)
  local matcher, err

  matcher = cache:get(list)
  if not matcher then
    matcher, err = ipmatcher.new(list)
    if err then
      return error("failed to create a new ipmatcher instance: " .. err)
    end

    cache:set(list, matcher, IPMATCHER_TTL)
  end

  local is_match
  is_match, err = matcher:match_bin(binary_remote_addr)
  if err then
    return error("invalid binary ip address: " .. err)
  end

  return is_match
end


local function do_restrict(conf)
  local binary_remote_addr = ngx_var.binary_remote_addr
  if not binary_remote_addr then
    return do_exit(403,
                   "Cannot identify the client IP address, " ..
                   "unix domain sockets are not supported.")
  end

  local deny = conf.deny

  if not isempty(deny) then
    local blocked = match_bin(deny, binary_remote_addr)
    if blocked then
      return do_exit(conf.status, conf.message)
    end
  end

  local allow = conf.allow

  if not isempty(allow) then
    local allowed = match_bin(allow, binary_remote_addr)
    if not allowed then
      return do_exit(conf.status, conf.message)
    end
  end
end


function IpRestrictionHandler:access(conf)
  return do_restrict(conf)
end


function IpRestrictionHandler:preread(conf)
  return do_restrict(conf)
end


return IpRestrictionHandler
相关推荐
风霜不见闲沉月17 天前
kong网关的使用
junit·kong
还是转转20 天前
Kong Gateway 指南
gateway·kong
三朝看客2 个月前
BClinux docker安装kong和konga
docker·容器·kong
爱技术的小伙子3 个月前
【API网关】 使用Kong、Zuul等工具实现API网关
kong
博客威5 个月前
kong网关部署
kong·konga
明明在学JAVA6 个月前
Kong网关的负载均衡
python·负载均衡·kong
Wang's Blog6 个月前
Go微服务: 基于Docker搭建Kong网关环境
docker·微服务·golang·kong
明明在学JAVA6 个月前
Kong网关身份认证
kong
宫孙小兔6 个月前
Kong网关代理MQTT的两种方法
nginx·kong·tcp·代理·流代理
天草二十六_简村人7 个月前
API网关工具Kong或nginx ingress实现对客户端IP的白名单限制,提高对外服务的访问安全
运维·nginx·安全·kubernetes·k8s·kong