我正在使用来自的 nginx 社区版本http://nginx-win.ecsds.eu/ 操作系统是 Windows Server 2019。它提供静态文件,并使用 proxy_pass 将其他所有内容传递给 Apache。
我正在尝试限制每个 IP 的请求。
我添加了这些行来http阻止
limit_req_zone $binary_remote_addr zone=addr_req_lim:20m rate=500r/s;
limit_req_dry_run on;
然后我将以下内容添加到location块中
limit_req zone=addr_req_lim;
现在 nginx 的日志中充斥着类似这样的条目
2022/09/06 01:46:04 [warn] 46668#3904: *39375 limiting requests, dry run, excess: 1.000 by zone "addr_req_lim", client: IP, server: www.domain.com, request: "GET URL HTTP/2.0", host: "www.domain.com", referrer: "REFERRER"
rate看起来很多 IP 都超出了限制,但事实并非如此。当我打开访问日志时,我注意到这些 IP 不超过 30 rps,这与我在参数中设置的 500 rps 相差甚远。
为什么 nginx 不尊重我在配置中设置的限制?
编辑
nginx -T -t输出
nginx: [alert] could not open error log file: CreateFile() "logs/error.log" failed (5: Access is denied)
nginx: the configuration file C:\nginx/conf/nginx.conf syntax is ok
2022/09/06 23:32:28 [emerg] 7628#29508: CreateFile() "C:\nginx/logs/nginx.pid" failed (5: Access is denied)
nginx: configuration file C:\nginx/conf/nginx.conf test failed
注意:服务正在运行,因此出现错误。
编辑
nginx -T -t 输出
worker_processes 4;
error_log logs/error1.log warn;
pid nginx1.pid;
pcre_jit on;
events {
worker_connections 8192;
multi_accept on;
use poll;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr $remote_port - $remote_user "$time_local" "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
reset_timedout_connection on;
server_tokens off;
sendfile_max_chunk 1m;
resolver 1.1.1.1 ipv6=off;
map_hash_bucket_size 64;
server_names_hash_bucket_size 64;
merge_slashes off;
## Start: Timeouts ##
client_body_timeout 5m;
client_header_timeout 5m;
keepalive_timeout 5m;
send_timeout 5m;
keepalive_requests 2048;
## End: Timeouts ##
client_max_body_size 134217728;
client_body_buffer_size 524288;
client_body_temp_path E:/nginx/client_temp 1 2;
proxy_max_temp_file_size 128m;
proxy_buffers 8 16k;
proxy_buffer_size 32k;
proxy_read_timeout 10m;
proxy_send_timeout 10m;
proxy_temp_path E:/nginx/proxy_temp 1 2;
proxy_cache_path E:/nginx/proxy_cache levels=1:2 keys_zone=nginx_cache:10m max_size=10g inactive=60m use_temp_path=off;
proxy_http_version 1.1;
proxy_ignore_client_abort on;
proxy_force_ranges off;
proxy_cache_max_range_offset 0;
limit_conn_zone $binary_remote_addr zone=addr:20m;
limit_conn addr 1000;
limit_conn_log_level warn;
limit_req_zone $binary_remote_addr zone=addr_req_lim:20m rate=500r/s;
limit_req_dry_run on;
limit_req_log_level warn;
include ssl.conf;
include optimizers.conf;
include vhosts.conf;
}
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:100m; # about 400000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam "D:/cert/dh.pem";
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_buffer_size 4k;
map $sent_http_content_type $expires {
default off;
"image/webp" 1y;
"image/jpeg" 1y;
"image/svg+xml" 1y;
"image/svg" 1y;
"image/png" 1y;
"image/gif" 1y;
"image/x-icon" 1y;
"application/javascript" 1y;
"application/x-shockwave-flash" 1y;
"text/css" 1y;
"audio/mpeg" 1y;
"video/mp4" 1y;
"video/webm" 1y;
"application/vnd.ms-fontobject" 1y;
"application/font-woff" 1y;
"application/font-woff2" 1y;
"font/woff2" 1y;
"font/woff" 1y;
"application/x-font-ttf" 1y;
"font/opentype" 1y;
}
expires $expires;
gzip on;
gzip_disable "msie6";
gzip_min_length 1024;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/x-font-ttf font/opentype image/svg+xml image/svg;
etag off;
map $http_accept $webp_suffix {
default "";
~*webp ".webp";
}
server {
listen IP:80 default_server;
listen IP:443 ssl http2;
ssl_certificate "...";
ssl_trusted_certificate "...";
ssl_certificate_key "...";
root "...";
include domains/1.conf;
include vhosts_common.conf;
include domains/domain.conf;
}
index default.php index.php index.html index.shtml index.htm;
location ~ /\.git {
deny all;
access_log off;
log_not_found off;
}
location ~ xmlrpc\.php {
deny all;
access_log off;
log_not_found off;
}
location ~ /cache/templates {
deny all;
access_log off;
log_not_found off;
}
location ^~ /.well-known {
alias "D:/cert/acme-challenge/.well-known";
}
ssi off;
location ~ \.shtml$ {
ssi on;
}
if ($request_method !~ ^(GET|POST|OPTIONS|HEAD)$ ) {
return 444;
}
location ~ \.php$ {
try_files /missing.html @apachesite;
}
location ~* \.(png|jpg|jpeg|gif)$ {
include webp.conf;
}
location / {
limit_req zone=addr_req_lim;
try_files $uri $uri/ $uri.shtml @apachesite;
}
error_page 503 @maintenance;
location @maintenance {
rewrite ^(.*)$ /_maintenance.html break;
}
location @apachesite {
# if (-f $document_root/maintenance.html) {
# return 503;
# }
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header Range $http_range;
proxy_pass http://$server_addr:8181$request_uri;
proxy_cache off;
expires off;
}
location /nginx_status {
# Turn on stats
stub_status on;
access_log off;
}
敏感信息已被删除。