Kong基于QPS、IP限流

叱咤少帅(少帅)2024-04-03 8:42

Rate Limiting限流插件

bash 复制代码 
https://docs.konghq.com/hub/kong-inc/rate-limiting/

它可以针对consumer ,credential ,ip ,service,path,header 等多种维度来进行限流.流量控制的精准度也有多种方式可以参考,比如可以做到秒级,分钟级,小时级等限流控制.

基于IP限流

源码地址: kong/kong/plugins/ip-restriction/handler.lua at master · Kong/kong · GitHub

Lua 复制代码 
local lrucache = require "resty.lrucache"
local ipmatcher = require "resty.ipmatcher"
local kong_meta = require "kong.meta"


local error = error
local kong = kong
local log = kong.log
local ngx_var = ngx.var


local IPMATCHER_COUNT = 512
local IPMATCHER_TTL   = 3600
local cache = lrucache.new(IPMATCHER_COUNT)


local IpRestrictionHandler = {
  PRIORITY = 990,
  VERSION = kong_meta.version,
}


local isempty
do
  local tb_isempty = require "table.isempty"

  isempty = function(t)
    return t == nil or tb_isempty(t)
  end
end


local function do_exit(status, message)
  status = status or 403
  message = message or
            string.format("IP address not allowed: %s", ngx_var.remote_addr)

  log.warn(message)

  return kong.response.error(status, message)
end


local function match_bin(list, binary_remote_addr)
  local matcher, err

  matcher = cache:get(list)
  if not matcher then
    matcher, err = ipmatcher.new(list)
    if err then
      return error("failed to create a new ipmatcher instance: " .. err)
    end

    cache:set(list, matcher, IPMATCHER_TTL)
  end

  local is_match
  is_match, err = matcher:match_bin(binary_remote_addr)
  if err then
    return error("invalid binary ip address: " .. err)
  end

  return is_match
end


local function do_restrict(conf)
  local binary_remote_addr = ngx_var.binary_remote_addr
  if not binary_remote_addr then
    return do_exit(403,
                   "Cannot identify the client IP address, " ..
                   "unix domain sockets are not supported.")
  end

  local deny = conf.deny

  if not isempty(deny) then
    local blocked = match_bin(deny, binary_remote_addr)
    if blocked then
      return do_exit(conf.status, conf.message)
    end
  end

  local allow = conf.allow

  if not isempty(allow) then
    local allowed = match_bin(allow, binary_remote_addr)
    if not allowed then
      return do_exit(conf.status, conf.message)
    end
  end
end


function IpRestrictionHandler:access(conf)
  return do_restrict(conf)
end


function IpRestrictionHandler:preread(conf)
  return do_restrict(conf)
end


return IpRestrictionHandler
相关推荐
小毅&Nora几秒前
【后端】【诡秘架构】 序列7:魔术师 - API网关与协议转换的艺术:用Kong编织系统的幻象
架构·kong
2401_860494706 天前
如何在React Native中,开发一个类似于鸿蒙组件(Hong Kong component)的NoticeBar(通知栏)组件呢?
javascript·react native·react.js·ecmascript·kong·harmonyos
n***29321 个月前
后端API网关教程,Kong与APISIX
kong
青鱼入云2 个月前
对比nginx、kong、apisix、zuul、gateway网关
nginx·gateway·kong
无名小卒20222 个月前
{人工智能}未来十年改变世界的核心技术驱动力
kong
William一直在路上3 个月前
Kong Gateway 实操实例:代理上游服务并配置限流插件
gateway·kong
tnan25224 个月前
记录docker使用kong consul postgresql配置dns异常解决
docker·kong·consul
William一直在路上4 个月前
KONG API Gateway中的核心概念
网络·gateway·kong
freesharer4 个月前
kong网关集成Safeline WAF 插件
kong
悟能不能悟5 个月前
kong是什么
kong
热门推荐
01GitHub 镜像站点02UV安装并设置国内源03【AutoGLM部署】本地私有化部署AI手机Agent04Linux下V2Ray安装配置指南05Open-AutoGLM Windows 安装部署教程06Cursor 又偷偷更新,这个功能太实用:Visual Editor for Cursor Browser07【超详细教程】手把手教你从微软官网免费下载Windows 10官方原版ISO镜像(2025最新版)08在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)09BongoCat - 跨平台键盘猫动画工具10Windows 11 官方系统安装与重装完整教程(2025年最新版)