一、四层防护架构
# 全局负载均衡器配置
stream {
upstream prison_mail_backend {
# 一致性哈希,确保同一监狱流量到同一服务器
hash $remote_addr consistent;
# 多可用区部署
zone backend 64k;
server 10.0.1.10:443 max_fails=3 fail_timeout=30s;
server 10.0.2.10:443 max_fails=3 fail_timeout=30s;
server 10.0.3.10:443 max_fails=3 fail_timeout=30s;
# 备份节点(不同云厂商)
server 192.168.1.10:443 backup;
server 192.168.2.10:443 backup;
}
# DDoS防护服务器组
upstream ddos_protection {
least_conn; # 最小连接数算法
# 专用清洗节点
server 10.0.100.1:80;
server 10.0.100.2:80;
server 10.0.100.3:80;
}
# TCP/UDP流量分发
server {
listen 443;
proxy_pass prison_mail_backend;
# 连接限制
proxy_connect_timeout 5s;
proxy_timeout 300s;
# DDoS检测
access_by_lua_block {
local client_ip = ngx.var.remote_addr
local attack_score = check_ddos_risk(client_ip)
if attack_score > 70 then
-- 重定向到清洗中心
ngx.var.proxy_pass = "ddos_protection"
end
}
}
}二、七层智能调度
http {
# 请求频率限制
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $server_name zone=global:10m rate=1000r/s;
# 连接数限制
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn_zone $server_name zone=server:10m;
# 监狱通信专用后端
upstream prison_api {
# 加权最少连接数
least_conn;
# 主集群
server 10.0.10.1:8080 weight=3 max_conns=1000;
server 10.0.10.2:8080 weight=3 max_conns=1000;
server 10.0.10.3:8080 weight=3 max_conns=1000;
# 热备节点
server 10.0.10.4:8080 weight=1 backup;
server 10.0.10.5:8080 weight=1 backup;
# 健康检查
health_check interval=5s fails=2 passes=2 uri=/health;
}
# 静态资源CDN
upstream static_cdn {
# 基于地理位置的负载均衡
geoip_country /etc/nginx/geoip/GeoIP.dat;
server 101.200.1.1:80 weight=1; # 华北
server 101.200.2.1:80 weight=1; # 华东
server 101.200.3.1:80 weight=1; # 华南
server 101.200.4.1:80 weight=1; # 西南
}
server {
listen 80;
server_name weiai.tech;
# 基础防护
limit_conn addr 20; # 单IP最多20个连接
limit_req zone=api burst=20 nodelay;
limit_req zone=global burst=200;
# 信件上传接口
location /api/prison/letter/upload {
# 强化限制
limit_conn addr 5;
limit_req zone=api burst=5 nodelay;
# 请求验证
if ($request_method != POST) {
return 405;
}
# 文件大小限制
client_max_body_size 10M;
client_body_timeout 30s;
# 代理到后端
proxy_pass http://prison_api;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 超时设置
proxy_connect_timeout 10s;
proxy_read_timeout 30s;
proxy_send_timeout 30s;
# 缓冲区限制(防慢速攻击)
proxy_request_buffering off;
client_body_buffer_size 1M;
}
# 静态资源
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
# CDN加速
proxy_pass http://static_cdn;
# 缓存设置
expires 1y;
add_header Cache-Control "public, immutable";
# 防盗链
valid_referers none blocked weiai.tech *.weiai.tech;
if ($invalid_referer) {
return 403;
}
}
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 监控端点
location /nginx_status {
stub_status;
allow 10.0.0.0/8; # 内网访问
deny all;
access_log off;
}
}
}三、云原生负载均衡器
# Kubernetes Ingress配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: weiai-prison-mail
annotations:
# 负载均衡算法
nginx.ingress.kubernetes.io/load-balance: "ewma"
# 连接限制
nginx.ingress.kubernetes.io/limit-connections: "20"
nginx.ingress.kubernetes.io/limit-rps: "10"
# DDoS防护
nginx.ingress.kubernetes.io/limit-whitelist: "10.0.0.0/8"
# 会话保持
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
spec:
ingressClassName: nginx
rules:
- host: weiai.tech
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: prison-api-service
port:
number: 8080
# 流量权重
trafficWeight:
value: 80
- path: /static
pathType: Prefix
backend:
service:
name: static-service
port:
number: 80
trafficWeight:
value: 20
---
# 自动扩缩容配置
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: prison-api-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: prison-api
minReplicas: 3
maxReplicas: 50
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Pods
pods:
metric:
name: requests-per-second
target:
type: AverageValue
averageValue: 1000四、智能流量分析
# 实时DDoS检测与调度
class DDoSLoadBalancer:
def __init__(self):
self.redis = RedisCluster()
self.statsd = StatsDClient()
# 流量基线
self.baseline = {
'normal_rps': 1000, # 正常请求/秒
'normal_bandwidth': 100, # 正常带宽MB/s
'normal_connections': 5000 # 正常连接数
}
async def route_request(self, request):
"""智能路由请求"""
# 1. 实时流量分析
current_metrics = await self.get_current_metrics()
# 2. DDoS评分
ddos_score = self.calculate_ddos_score(current_metrics)
# 3. 动态调度
if ddos_score < 30:
# 正常路由
backend = await self.select_optimal_backend()
elif ddos_score < 70:
# 限流模式
backend = await self.select_protected_backend()
await self.apply_rate_limiting(request)
else:
# 清洗模式
backend = await self.select_scrubbing_center()
await self.enable_challenge_response(request)
# 4. 记录决策
await self.log_routing_decision(request, backend, ddos_score)
return backend
def calculate_ddos_score(self, metrics):
"""计算DDoS风险评分"""
score = 0
# 请求频率异常检测
rps_ratio = metrics['rps'] / self.baseline['normal_rps']
if rps_ratio > 10:
score += 40
elif rps_ratio > 5:
score += 20
# 连接数异常检测
conn_ratio = metrics['connections'] / self.baseline['normal_connections']
if conn_ratio > 8:
score += 30
# 带宽异常检测
bandwidth_ratio = metrics['bandwidth'] / self.baseline['normal_bandwidth']
if bandwidth_ratio > 20:
score += 30
# 地理分布异常
geo_diversity = self.calculate_geo_diversity()
if geo_diversity > 0.7: # 来源过于分散
score += 20
return min(score, 100)
async def select_optimal_backend(self):
"""选择最优后端"""
backends = await self.get_healthy_backends()
# 基于多个指标选择
scores = []
for backend in backends:
score = self.calculate_backend_score(backend)
scores.append((backend, score))
# 选择分数最高的
scores.sort(key=lambda x: x[1], reverse=True)
return scores[0][0]
def calculate_backend_score(self, backend):
"""后端评分算法"""
score = 100
# CPU使用率
cpu_usage = backend['cpu_usage']
if cpu_usage > 80:
score -= 40
elif cpu_usage > 60:
score -= 20
# 内存使用率
mem_usage = backend['memory_usage']
if mem_usage > 90:
score -= 30
# 响应时间
response_time = backend['avg_response_time']
if response_time > 1000: # 1秒
score -= 20
# 错误率
error_rate = backend['error_rate']
if error_rate > 0.05: # 5%
score -= 25
return max(score, 0)五、边缘防护配置
// Cloudflare Workers边缘防护
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
// 1. 验证请求
const validation = await validateRequest(request)
if (!validation.valid) {
return new Response('Access Denied', { status: 403 })
}
// 2. 检查速率限制
const ip = request.headers.get('CF-Connecting-IP')
const rateLimit = await checkRateLimit(ip)
if (rateLimit.exceeded) {
// 返回验证页面(挑战)
return generateChallengePage(ip)
}
// 3. 智能路由
const backend = await selectBackend(request)
// 4. 添加安全头部
const response = await fetch(backend, request)
const securedResponse = addSecurityHeaders(response)
return securedResponse
}
// 基于地理位置的负载均衡
async function selectBackend(request) {
const country = request.headers.get('CF-IPCountry')
const backends = {
'CN': 'https://cn-backend.weiai.tech',
'US': 'https://us-backend.weiai.tech',
'EU': 'https://eu-backend.weiai.tech',
'default': 'https://global-backend.weiai.tech'
}
return backends[country] || backends['default']
}
// 动态速率限制
async function checkRateLimit(ip) {
const namespace = PRISON_MAIL_NAMESPACE
const key = `ratelimit:${ip}`
// 使用令牌桶算法
const bucket = await namespace.get(key, { type: 'json' }) || {
tokens: 10,
lastRefill: Date.now()
}
const now = Date.now()
const timePassed = now - bucket.lastRefill
const refillAmount = Math.floor(timePassed / 1000) * 2 // 每秒2个令牌
bucket.tokens = Math.min(10, bucket.tokens + refillAmount)
bucket.lastRefill = now
if (bucket.tokens > 0) {
bucket.tokens -= 1
await namespace.put(key, JSON.stringify(bucket))
return { exceeded: false, remaining: bucket.tokens }
} else {
return { exceeded: true, remaining: 0 }
}
}六、监控与自动切换
#!/bin/bash
# 负载均衡健康检查与自动切换
# 检查后端健康状态
check_backend_health() {
local backend=$1
local timeout=5
# 检查端口连通性
nc -z -w $timeout ${backend%:*} ${backend#*:} 2>/dev/null
if [ $? -ne 0 ]; then
echo "端口检查失败: $backend"
return 1
fi
# 检查HTTP服务
local health_url="http://$backend/health"
local http_code=$(curl -s -o /dev/null -w "%{http_code}" -m $timeout $health_url)
if [ "$http_code" != "200" ]; then
echo "健康检查失败: $backend (HTTP $http_code)"
return 1
fi
# 检查响应时间
local response_time=$(curl -s -o /dev/null -w "%{time_total}" -m $timeout $health_url)
if (( $(echo "$response_time > 1.0" | bc -l) )); then
echo "响应时间过长: $backend ($response_time秒)"
return 2 # 警告状态
fi
echo "健康检查通过: $backend"
return 0
}
# 自动更新负载均衡配置
update_load_balancer() {
local config_file="/etc/nginx/conf.d/backend.conf"
local temp_file="/tmp/backend.conf.new"
# 生成新的配置
cat > $temp_file << EOF
upstream prison_backend {
# 自动生成的健康服务器列表
$(generate_backend_list)
# 负载均衡策略
least_conn;
# 健康检查
health_check interval=5s fails=2 passes=2;
}
EOF
# 检查配置语法
nginx -t -c $temp_file 2>&1 | grep -q "syntax is ok"
if [ $? -eq 0 ]; then
# 热重载配置
cp $temp_file $config_file
nginx -s reload
echo "负载均衡配置已更新"
else
echo "配置语法错误,更新失败"
return 1
fi
}
# 主循环
while true; do
echo "=== 开始健康检查 $(date) ==="
# 检查所有后端
all_healthy=true
backends=("10.0.1.10:8080" "10.0.1.11:8080" "10.0.1.12:8080")
for backend in "${backends[@]}"; do
check_backend_health $backend
case $? in
1) # 失败
echo "移除不健康后端: $backend"
mark_backend_down $backend
all_healthy=false
;;
2) # 警告
echo "后端性能下降: $backend"
adjust_backend_weight $backend 0.5
;;
esac
done
# 如果有变化,更新配置
if [ "$all_healthy" = false ]; then
update_load_balancer
fi
# 等待下一次检查
sleep 30
done七、性能指标
| 指标 | 目标值 | 监控方式 |
|---|---|---|
| 请求成功率 | ≥99.95% | Prometheus + Grafana |
| 平均响应时间 | <100ms | 负载均衡器日志 |
| 后端服务器CPU | <70% | 节点导出器 |
| 连接数 | <5000/节点 | NetData |
| DDoS检测准确率 | ≥99% | 机器学习模型 |
八、总结
微爱帮的DDoS防护负载均衡架构通过四层防护实现:
-
流量分散:多节点、多可用区部署
-
智能调度:基于实时健康状态的动态路由
-
自动防护:DDoS检测与自动切换
-
弹性扩展:根据流量自动扩缩容
核心优势:
-
零单点故障
-
毫秒级故障切换
-
弹性应对突发流量
-
符合监狱通信高可用要求
技术栈:Nginx + LVS + Kubernetes + Cloudflare + 自定义调度算法
微爱帮运维团队
DDoS防护等级:T级防护
SLA保证:99.99%可用性