简体繁体 English

如何在龙卷风 python 应用程序上添加速率限制

[英]how to add rate limiting on tornado python app

原文 2021-08-04 04:55:03 2 3 python/ tornado

would it be possible to implement a rate limiting feature on my tornado app?是否可以在我的龙卷风应用程序上实施速率限制功能？ like limit the number of HTTP request from a specific client if they are identified to send too many requests per second (which red flags them as bots).例如限制来自特定客户端的 HTTP 请求的数量，如果它们被识别为每秒发送太多请求（将它们标记为机器人）。

I think I could it manually by storing the requests on a database and analyzing the requests per IP address but I was just checking if there is already an existing solution for this feature.我想我可以通过将请求存储在数据库中并分析每个 IP 地址的请求来手动实现，但我只是检查是否已经存在针对此功能的解决方案。

I tried checking the github page of tornado, I have the same questions as this post but no explicit answer was provided.我尝试查看 tornado 的 github 页面，我有与这篇文章相同的问题，但没有提供明确的答案。 checked tornado's wiki links as well but I think rate limiting is not handled yet.也检查了龙卷风的维基链接，但我认为速率限制尚未处理。

3 个解决方案

Instead of storing them in the DB, would be better to have them in a dictionary stored in memory for easy usability.与其将它们存储在数据库中，不如将它们存储在 memory 中的字典中以便于使用。 Also can you share the details whether the api has a load-balancer and which web-server is used.您还可以分享 api 是否有负载平衡器以及使用哪个网络服务器的详细信息。

The enterprise grade solution to your problem is ambassador .解决您问题的企业级解决方案是ambassador 。 You can use ambassador's solutions like envoy proxy and edge stack and have it set up that can do the needful.您可以使用大使的解决方案，如 envoy 代理和边缘堆栈，并对其进行设置以完成需要的工作。

additional to tore the data, you can use any popular cached db, or d that store as key:value pairs, for example redis.除了撕裂数据外，您还可以使用任何流行的缓存数据库，或存储为键值对的数据库，例如 redis。

if you doing this for a very small project, can use some npm/pip packages.如果你为一个非常小的项目这样做，可以使用一些 npm/pip 包。

Read the docs: https://www.getambassador.io/products/edge-stack/api-gateway/阅读文档： https://www.getambassador.io/products/edge-stack/api-gateway/

You should probably do this before your requests reach Tornado.您可能应该在您的请求到达 Tornado 之前执行此操作。

But if it's an application level feature (limiting requests depending on level of subscription), then you can do it in Tornado in lots of ways, depending on how complex you want the rate limiting to be.但如果它是一个应用程序级别的功能（根据订阅级别限制请求），那么您可以在 Tornado 中以多种方式执行此操作，具体取决于您希望速率限制的复杂程度。

Probably the simplest way is to have a dict on your tornado.web.Application that uses the ip as the key and the timestamp of the last request as the value and check every request against it in prepare - if not enough time passed since last request, raise a tornado.web.HTTPError(429) (ideally with a Retry-After header).可能最简单的方法是在你的tornado.web.Application上使用 dict，它使用 ip 作为键，最后一个请求的时间戳作为值，并在prepare中检查每个请求 - 如果自上次请求以来没有足够的时间, 引发tornado.web.HTTPError(429) （理想情况下带有Retry-After标头）。 If you do this, you will still need to clean up this dict now and then to remove entries that have not made a request recently or it will grow (you could do it finish on every request).如果你这样做，你仍然需要不时地清理这个字典，然后删除最近没有提出请求的条目，否则它会增长（你可以在每次请求时finish它）。

If you have another fast/in-memory storage attached (memcache, redis, sqlite), you should use that, but you definitely should not use an RDBMS as all those writes will not be great for its performance.如果您附加了另一个快速/内存存储（内存缓存、redis、sqlite），您应该使用它，但您绝对不应该使用 RDBMS，因为所有这些写入都不会提高其性能。