dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

feat(nginx): 新增请求速率限制

浏览代码
这个提交包含在:
rohow
2024-10-30 19:01:57 +08:00
未验证
父节点 12fbd55e29
当前提交 4cfeba80ca
修改 2 个文件,包含 25 行新增14 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件
apps/infra/monitor/crowdsec/helmchart.yaml
+18 -12
查看文件
@@ -33,7 +33,7 @@ spec:
type: nginx type: nginx
env: env:
- name: COLLECTIONS - name: COLLECTIONS
value: "crowdsecurity/base-http-scenarios" value: "crowdsecurity/base-http-scenarios crowdsecurity/http-dos"
- name: SCENARIOS - name: SCENARIOS
value: "crowdsecurity/nginx-req-limit-exceeded" value: "crowdsecurity/nginx-req-limit-exceeded"
persistentVolume: persistentVolume:
@@ -86,41 +86,47 @@ spec:
# nginx access logs # nginx access logs
- filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "nginx") in ["", nil] - filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "nginx") in ["", nil]
statics: statics:
- meta: service
value: http
- meta: log_type - meta: log_type
value: http_access-log value: http_access-log
- target: evt.StrTime - target: evt.StrTime
expression: evt.Parsed.time expression: evt.Unmarshaled.nginx.time_local
- meta: service
value: http
- meta: source_ip - meta: source_ip
expression: evt.Unmarshaled.nginx.remote_addr expression: evt.Unmarshaled.nginx.remote_addr
- meta: http_status - meta: http_status
expression: evt.Unmarshaled.nginx.status expression: evt.Unmarshaled.nginx.status
- meta: http_path - meta: http_path
expression: evt.Unmarshaled.nginx.request expression: evt.Unmarshaled.nginx.request_uri
- meta: http_verb
expression: evt.Unmarshaled.nginx.request_method
- meta: http_user_agent - meta: http_user_agent
expression: evt.Unmarshaled.nginx.http_user_agent expression: evt.Unmarshaled.nginx.http_user_agent
- meta: target_fqdn
expression: evt.Unmarshaled.nginx.server_name
# nginx error logs # nginx error logs
- grok: - grok:
pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{DATA:target_fqdn}, request: "%{WORD:verb} ([^/]+)?%{NGCUSTOMURIPATHPARAM:request}( HTTP/%{NUMBER:http_version})?", host: "%{IPORHOST}(:%{NONNEGINT})?"' pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{DATA:target_fqdn}, request: "%{WORD:verb} ([^/]+)?%{NGCUSTOMURIPATHPARAM:request}( HTTP/%{NUMBER:http_version})?", host: "%{IPORHOST}(:%{NONNEGINT})?"'
apply_on: message apply_on: message
statics: statics:
- meta: service
value: http
- meta: log_type - meta: log_type
value: http_error-log value: http_error-log
- target: evt.StrTime - target: evt.StrTime
expression: evt.Parsed.time expression: evt.Parsed.time
- meta: service
value: http
- meta: source_ip - meta: source_ip
expression: "evt.Parsed.remote_addr" expression: evt.Parsed.remote_addr
- meta: http_status - meta: http_status
expression: "evt.Parsed.status" expression: evt.Parsed.status
- meta: http_path - meta: http_path
expression: "evt.Parsed.request" expression: evt.Parsed.request
- meta: http_verb
expression: evt.Parsed.verb
- meta: http_user_agent - meta: http_user_agent
expression: "evt.Parsed.http_user_agent" expression: evt.Parsed.http_user_agent
- meta: target_fqdn - meta: target_fqdn
expression: "evt.Parsed.target_fqdn" expression: evt.Parsed.target_fqdn
pattern_syntax: pattern_syntax:
NO_DOUBLE_QUOTE: '[^"]+' NO_DOUBLE_QUOTE: '[^"]+'
onsuccess: next_stage onsuccess: next_stage
apps/infra/net/nginx/helmchart.yaml
+7 -2
查看文件
@@ -34,15 +34,20 @@ spec:
ssl-redirect: "true" ssl-redirect: "true"
# 自定义错误页面 # 自定义错误页面
custom-http-errors: "403,404,502,503" custom-http-errors: "403,404,502,503"
# 缓存配置
http-snippet: | http-snippet: |
# 缓存配置
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off; proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
proxy_cache_key $uri$is_args$args; proxy_cache_key $uri$is_args$args;
proxy_cache_lock on; proxy_cache_lock on;
proxy_cache_use_stale updating; proxy_cache_use_stale updating;
# dns配置 # 限速配置
limit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r/s;
server-snippet : | server-snippet : |
# dns配置
resolver 169.254.20.10 10.43.0.10 ipv6=off; resolver 169.254.20.10 10.43.0.10 ipv6=off;
location-snippet: |
# 限速配置
limit_req zone=global_limit burst=30 nodelay;
# 启用geoip2模块 # 启用geoip2模块
use-geoip: "false" use-geoip: "false"
use-geoip2: "true" use-geoip2: "true"