基于 Nginx 入口中的授权令牌的速率限制 GRPC 连接
[英]Rate Limit GRPC connections based on authorization token in Nginx Ingress
问题描述
I am trying to rate limit number GRPC connections based on a token included in the Authorization header.
我正在尝试根据授权 header 中包含的令牌来限制 GRPC 连接数。 I tried the following settings in the Nginx configmap and Ingress annotation but Nginx rate limiting is not working.我在 Nginx 配置映射和入口注释中尝试了以下设置,但 Nginx 速率限制不起作用。
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ingress-controller
namespace: default
data:
http-snippet: |
limit_req_zone $http_authorization zone=zone-1:20m rate=10r/m;
limit_req_zone $http_token zone=zone-2:20m rate=10r/m;
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/configuration-snippet: |
limit_req zone=zone-1;
limit_req_log_level notice;
limit_req_status 429;
I try to have Nginx Ingress Controller to rate limit the GRPC/HTTP2 stream connection based on the value in the $http_authorization variable.我尝试让 Nginx Ingress Controller 根据 $http_authorization 变量中的值限制 GRPC/HTTP2 stream 连接的速率。 I have modified the Nginx log_format to log the $http_authorization value and observe that Nginx receives the value.我已修改 Nginx log_format 以记录 $http_authorization 值并观察 Nginx 接收到该值。 The problem I am facing is that for some reason the rate limiting rule doesn't get triggered.我面临的问题是,由于某种原因,速率限制规则没有被触发。
Is this the correct approach?这是正确的方法吗?
Any help and feedback would be much appreciated!任何帮助和反馈将不胜感激!
Thanks谢谢
1 个解决方案
解决方案1
0 2021-05-06 09:15:27
Hello Bobby_H and welcome to Stack Overflow!您好 Bobby_H,欢迎来到 Stack Overflow!
When using Nginx Ingress on Kubernetes you can set up your rate limits with these annotations :在 Kubernetes 上使用 Nginx Ingress 时,您可以使用以下注释设置速率限制:
nginx.ingress.kubernetes.io/limit-connections:number of concurrent connections allowed from a single IP address.nginx.ingress.kubernetes.io/limit-connections:单个 IP 地址允许的并发连接数。 A 503 error is returned when exceeding this limit.
nginx.ingress.kubernetes.io/limit-rps:number of requests accepted from a given IP each second.nginx.ingress.kubernetes.io/limit-rps:从给定 IP 接受的请求数。 The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.
nginx.ingress.kubernetes.io/limit-rpm:number of requests accepted from a given IP each minute.nginx.ingress.kubernetes.io/limit-rpm:每分钟从给定 IP 接受的请求数。 The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.
nginx.ingress.kubernetes.io/limit-burst-multiplier:multiplier of the limit rate for burst size.nginx.ingress.kubernetes.io/limit-burst-multiplier:突发大小限制率的乘数。 The default burst multiplier is 5, this annotation override the default multiplier.
nginx.ingress.kubernetes.io/limit-rate-after:initial number of kilobytes after which the further transmission of a response to a given connection will be rate limited.nginx.ingress.kubernetes.io/limit-rate-after:初始千字节数,之后对给定连接的响应的进一步传输将受到速率限制。 This feature must be used with proxy-buffering enabled.
nginx.ingress.kubernetes.io/limit-rate:number of kilobytes per second allowed to send to a given connection.nginx.ingress.kubernetes.io/limit-rate:每秒允许发送到给定连接的千字节数。 The zero value disables rate limiting.
nginx.ingress.kubernetes.io/limit-whitelist:client IP source ranges to be excluded from rate-limiting.nginx.ingress.kubernetes.io/limit-whitelist:客户端 IP 源范围被排除在速率限制之外。 The value is a comma separated list of CIDRs.
Nginx implements the leaky bucket algorithm, where incoming requests are buffered in a FIFO queue, and then consumed at a limited rate. Nginx 实现了漏桶算法,其中传入的请求被缓冲在 FIFO 队列中,然后以有限的速率消耗。 The burst value defines the size of the queue, which allows an exceeding number of requests to be served beyond the base limit.突发值定义了队列的大小,允许超出基本限制的请求数量。 When the queue becomes full, the following requests will be rejected with an error code returned.当队列满时,以下请求将被拒绝并返回错误代码。
Here you will find all important parameters to configure your rate limiting.在这里,您将找到配置速率限制的所有重要参数。
The number of expected successful requests can be calculated like this:预期成功请求的数量可以这样计算:
successful requests = (period * rate + burst) * nginx replica
so it is important to notice that the number of nginx replicas will also multiply the number of successful requests.所以重要的是要注意 nginx 副本的数量也会乘以成功请求的数量。 Also, notice that Nginx ingress controller sets burst value at 5 times the limit.此外,请注意 Nginx 入口 controller 将突发值设置为限制的 5 倍。 You can check those parameters at nginx.conf after setting up your desired annotations.设置所需的注释后,您可以在nginx.conf中检查这些参数。 For example:例如:
limit_req_zone $limit_cmRfaW5ncmVzcy1yZC1oZWxsby1sZWdhY3k zone=ingress-hello-world_rps:5m rate=5r/s;
limit_req zone=ingress-hello-world_rps burst=25 nodelay;
limit_req_zone $limit_cmRfaW5ncmVzcy1yZC1oZWxsby1sZWdhY3k zone=ingress-hello-world_rpm:5m rate=300r/m;
limit_req zone=ingress-hello-world_rpm burst=1500 nodelay;
There are two limitations that I would also like to underline:我还想强调两个限制:
Requests are counted by client IP, which might not be accurate, or not fit your business needs such as rate-limiting by user identity.
请求由客户端 IP 计算,这可能不准确,或者不符合您的业务需求,例如用户身份的速率限制。Options like burst and delay are not configurable.
突发和延迟等选项不可配置。
I strongly recommend to go through the below sources also to have a more in-depth explanation regarding this topic:我强烈建议通过以下来源 go 也对这个主题有更深入的解释:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.