Kong基于QPS、IP限流

Rate Limiting限流插件

bash 复制代码
https://docs.konghq.com/hub/kong-inc/rate-limiting/

它可以针对consumer ,credential ,ip ,service,path,header 等多种维度来进行限流.流量控制的精准度也有多种方式可以参考,比如可以做到秒级,分钟级,小时级等限流控制.

基于IP限流

源码地址: kong/kong/plugins/ip-restriction/handler.lua at master · Kong/kong · GitHub

Lua 复制代码
local lrucache = require "resty.lrucache"
local ipmatcher = require "resty.ipmatcher"
local kong_meta = require "kong.meta"


local error = error
local kong = kong
local log = kong.log
local ngx_var = ngx.var


local IPMATCHER_COUNT = 512
local IPMATCHER_TTL   = 3600
local cache = lrucache.new(IPMATCHER_COUNT)


local IpRestrictionHandler = {
  PRIORITY = 990,
  VERSION = kong_meta.version,
}


local isempty
do
  local tb_isempty = require "table.isempty"

  isempty = function(t)
    return t == nil or tb_isempty(t)
  end
end


local function do_exit(status, message)
  status = status or 403
  message = message or
            string.format("IP address not allowed: %s", ngx_var.remote_addr)

  log.warn(message)

  return kong.response.error(status, message)
end


local function match_bin(list, binary_remote_addr)
  local matcher, err

  matcher = cache:get(list)
  if not matcher then
    matcher, err = ipmatcher.new(list)
    if err then
      return error("failed to create a new ipmatcher instance: " .. err)
    end

    cache:set(list, matcher, IPMATCHER_TTL)
  end

  local is_match
  is_match, err = matcher:match_bin(binary_remote_addr)
  if err then
    return error("invalid binary ip address: " .. err)
  end

  return is_match
end


local function do_restrict(conf)
  local binary_remote_addr = ngx_var.binary_remote_addr
  if not binary_remote_addr then
    return do_exit(403,
                   "Cannot identify the client IP address, " ..
                   "unix domain sockets are not supported.")
  end

  local deny = conf.deny

  if not isempty(deny) then
    local blocked = match_bin(deny, binary_remote_addr)
    if blocked then
      return do_exit(conf.status, conf.message)
    end
  end

  local allow = conf.allow

  if not isempty(allow) then
    local allowed = match_bin(allow, binary_remote_addr)
    if not allowed then
      return do_exit(conf.status, conf.message)
    end
  end
end


function IpRestrictionHandler:access(conf)
  return do_restrict(conf)
end


function IpRestrictionHandler:preread(conf)
  return do_restrict(conf)
end


return IpRestrictionHandler
相关推荐
无名小卒202219 小时前
{人工智能}未来十年改变世界的核心技术驱动力
kong
William一直在路上12 天前
Kong Gateway 实操实例:代理上游服务并配置限流插件
gateway·kong
tnan25222 个月前
记录docker使用kong consul postgresql配置dns异常解决
docker·kong·consul
William一直在路上2 个月前
KONG API Gateway中的核心概念
网络·gateway·kong
freesharer2 个月前
kong网关集成Safeline WAF 插件
kong
悟能不能悟3 个月前
kong是什么
kong
freesharer3 个月前
kong网关基于header分流灰度发布
kong
JohnGox4 个月前
KONG根据请求参数限流
kong·限流
星释4 个月前
使用API网关Kong配置反向代理和负载均衡
运维·负载均衡·kong
莱茵不哈哈5 个月前
OpenResty 深度解析:构建高性能 Web 服务的终极方案
nginx·lua·kong·openresty·conf