1. 首页
  2. 问答
  3. [alibaba/tengine]求助!!!limit_conn_zone和limit_req_zone指令都不起作用,求大神指点

[alibaba/tengine]求助!!!limit_conn_zone和limit_req_zone指令都不起作用,求大神指点

2024-06-26 976 views
2

NG版本:Tengine version: Tengine/2.2.1 (nginx/1.8.1) ngx_http_limit_conn_module和ngx_http_limit_req_module两个模块是有的,具体见下方./nginx -V信息

目的是限制单个IP的访问次数 配置语句: 【http中的配置】 limit_conn_zone $binary_remote_addr zone=perip:10m; limit_req_zone $binary_remote_addr $uri zone=one:3m rate=1r/s; (或者limit_req_zone $binary_remote_addr zone=one:3m rate=1r/s;) 【location中的配置】 limit_conn perip 1; limit_req zone=one;

【测试结果的日志】同一秒内都是成功的,没有达到效果。 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58329|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.219|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.219 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58345|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.278|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.278 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58344|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.251|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.251 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58332|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.372|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.372 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58331|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.372|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.372 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58330|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.372|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.372 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58340|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.543|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.543 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58363|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.329|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.329 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58367|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.587|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.587 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58368|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.550|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.550 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58369|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.504|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.504 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58338|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.482|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.482 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58360|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.434|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.434 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58336|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.482|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.482 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58359|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.434|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.434 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58341|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.482|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.482 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58370|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.257|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.257 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58337|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.482|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.482 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58366|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.304|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.304 /vcweixin4/cdyt/seckill/test?company=cdyt&a=222|www.test.cn|www.test.cn|192.168.2.254|58334|-|29/Sep/2018:09:15:42 +0800|GET /vcweixin4/cdyt/seckill/t est?company=cdyt&a=222 HTTP/1.1|200|2.482|1517|-|Apache-HttpClient/4.2.6 (java 1.5)|-|www.test.cn|-|-|192.168.2.186:8889|2.482

【nginx -V信息】 $ ./nginx -V Tengine version: Tengine/2.2.1 (nginx/1.8.1) built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) TLS SNI support enabled configure arguments: --prefix=/home/culngx/culp/ngx --with-pcre=/home/culngx/culp/pcre-8.41/ --with-http_ssl_module --with-http_sub_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_lua_module --with-luajit-inc=/home/culngx/culp/luajit/include/luajit-2.0/ --with-luajit-lib=/home/culngx/culp/luajit/lib/ --with-ld-opt=-Wl,-rpath,/home/culngx/culp/luajit/lib/:/home/culngx/culp/pcre/lib/ --with-pcre-jit nginx: loaded modules: nginx: ngx_core_module (static) nginx: ngx_errlog_module (static) nginx: ngx_conf_module (static) nginx: ngx_dso_module (static) nginx: ngx_events_module (static) nginx: ngx_event_core_module (static) nginx: ngx_epoll_module (static) nginx: ngx_procs_module (static) nginx: ngx_proc_core_module (static) nginx: ngx_openssl_module (static) nginx: ngx_regex_module (static) nginx: ngx_http_module (static) nginx: ngx_http_core_module (static) nginx: ngx_http_log_module (static) nginx: ngx_http_upstream_module (static) nginx: ngx_http_static_module (static) nginx: ngx_http_gzip_static_module (static) nginx: ngx_http_autoindex_module (static) nginx: ngx_http_index_module (static) nginx: ngx_http_auth_request_module (static) nginx: ngx_http_auth_basic_module (static) nginx: ngx_http_access_module (static) nginx: ngx_http_limit_conn_module (static) nginx: ngx_http_limit_req_module (static) nginx: ngx_http_realip_module (static) nginx: ngx_http_geo_module (static) nginx: ngx_http_map_module (static) nginx: ngx_http_split_clients_module (static) nginx: ngx_http_referer_module (static) nginx: ngx_http_rewrite_module (static) nginx: ngx_http_ssl_module (static) nginx: ngx_http_proxy_module (static) nginx: ngx_http_fastcgi_module (static) nginx: ngx_http_uwsgi_module (static) nginx: ngx_http_scgi_module (static) nginx: ngx_http_memcached_module (static) nginx: ngx_http_empty_gif_module (static) nginx: ngx_http_browser_module (static) nginx: ngx_http_user_agent_module (static) nginx: ngx_http_upstream_hash_module (static) nginx: ngx_http_upstream_ip_hash_module (static) nginx: ngx_http_upstream_consistent_hash_module (static) nginx: ngx_http_upstream_check_module (static) nginx: ngx_http_upstream_least_conn_module (static) nginx: ngx_http_upstream_keepalive_module (static) nginx: ngx_http_upstream_dynamic_module (static) nginx: ngx_http_stub_status_module (static) nginx: ngx_http_write_filter_module (static) nginx: ngx_http_header_filter_module (static) nginx: ngx_http_chunked_filter_module (static) nginx: ngx_http_range_header_filter_module (static) nginx: ngx_http_gzip_filter_module (static) nginx: ngx_http_postpone_filter_module (static) nginx: ngx_http_ssi_filter_module (static) nginx: ngx_http_charset_filter_module (static) nginx: ngx_http_sub_filter_module (static) nginx: ngx_http_userid_filter_module (static) nginx: ngx_http_footer_filter_module (static) nginx: ngx_http_trim_filter_module (static) nginx: ngx_http_headers_filter_module (static) nginx: ngx_http_upstream_session_sticky_module (static) nginx: ngx_http_reqstat_module (static) nginx: ngx_http_lua_module (static) nginx: ngx_http_copy_filter_module (static) nginx: ngx_http_range_body_filter_module (static) nginx: ngx_http_not_modified_filter_module (static)

maronggang

回答

5

兄弟你解决了吗?我也碰到同样问题...

zhangdongyux

8

本地测试的时候这个问题我没法复现,可以贴下完整的配置和测试方法再一起check下。

dengqian

8

Tengine之limit_conn_zone并发测试结果.docx

测试方法如下:
  1. Tengine:Tengine/2.2.2 (nginx/1.8.1)
  2. Nginx:nginx/1.7.4
  3. 测试工具:siege 4.0.4
    Tengine与Nginx进行相同配置如下:
    
#http段:
http {
……
limit_conn_zone $binary_remote_addr zone=ip_limit:15m;
……
}
server段:

server {

location / {
     limit_conn  ip_limit 10;
     limit_conn_status 500;
        root   /usr/local/webserver/nginx/html/web;
        index  index.php index.html index.htm;
    }

}

#### 测试Tengine:

siege -c 15 -r 1 www.zhang.com SIEGE 4.0.4 Preparing 15 concurrent users for battle. The server is now under siege... HTTP/1.1 200 0.02 secs: 555 bytes ==> GET / HTTP/1.1 200 0.02 secs: 555 bytes ==> GET / HTTP/1.1 200 0.02 secs: 555 bytes ==> GET / HTTP/1.1 200 0.02 secs: 555 bytes ==> GET / HTTP/1.1 200 0.02 secs: 555 bytes ==> GET / HTTP/1.1 200 0.02 secs: 555 bytes ==> GET / HTTP/1.1 200 0.02 secs: 555 bytes ==> GET / HTTP/1.1 200 0.02 secs: 555 bytes ==> GET / HTTP/1.1 200 0.03 secs: 555 bytes ==> GET / HTTP/1.1 200 0.03 secs: 555 bytes ==> GET / HTTP/1.1 200 0.03 secs: 555 bytes ==> GET / HTTP/1.1 200 0.03 secs: 555 bytes ==> GET / HTTP/1.1 200 0.03 secs: 555 bytes ==> GET / HTTP/1.1 200 0.03 secs: 555 bytes ==> GET / HTTP/1.1 200 0.03 secs: 555 bytes ==> GET /

Transactions: 15 hits Availability: 100.00 % Elapsed time: 0.03 secs Data transferred: 0.01 MB Response time: 0.02 secs Transaction rate: 500.00 trans/sec Throughput: 0.26 MB/sec Concurrency: 12.33 Successful transactions: 15 Failed transactions: 0 Longest transaction: 0.03 Shortest transaction: 0.02

测试结果: 15并发情况下全部通过,limit_conn ip_limit 10;没有起作用。


#### 测试Nginx:

siege -c 15 -r 1 www.zhang.com SIEGE 4.0.4 Preparing 15 concurrent users for battle. The server is now under siege... HTTP/1.1 200 0.07 secs: 33 bytes ==> GET / HTTP/1.1 200 0.07 secs: 33 bytes ==> GET / HTTP/1.1 500 0.07 secs: 186 bytes ==> GET / HTTP/1.1 500 0.07 secs: 186 bytes ==> GET / HTTP/1.1 500 0.07 secs: 186 bytes ==> GET / HTTP/1.1 500 0.07 secs: 186 bytes ==> GET / HTTP/1.1 200 0.08 secs: 33 bytes ==> GET / HTTP/1.1 200 0.08 secs: 33 bytes ==> GET / HTTP/1.1 200 0.08 secs: 33 bytes ==> GET / HTTP/1.1 200 0.08 secs: 33 bytes ==> GET / HTTP/1.1 200 0.08 secs: 33 bytes ==> GET / HTTP/1.1 200 0.08 secs: 33 bytes ==> GET / HTTP/1.1 200 0.09 secs: 33 bytes ==> GET / HTTP/1.1 200 0.09 secs: 33 bytes ==> GET / HTTP/1.1 200 0.09 secs: 33 bytes ==> GET /

Transactions: 11 hits Availability: 73.33 % Elapsed time: 0.09 secs Data transferred: 0.00 MB Response time: 0.11 secs Transaction rate: 122.22 trans/sec Throughput: 0.01 MB/sec Concurrency: 13.00 Successful transactions: 11 Failed transactions: 4 Longest transaction: 0.09 Shortest transaction: 0.07

测试结果: 15并发情况下,成功11个,拦截4个,并发数在往上加也是如此, limit_conn设置成功。

zhangdongyux

5

后来瞎试后,问题解决了。 将配置文件中 session_sticky_hide_cookie upstream=http*** 这句去掉就OK了,不知道session_sticky_hide_cookie这个配置为什么和imit_conn_zone、limit_req_zone产生了冲突?

maronggang

8

@zhangdongyux siege测试的时候访问小文件不适合验证并发,上一条请求很快就处理完了,limit_conn实际上是在ngx_http_pre_access阶段是检查当前同一个key的连接数,请求结束的时候连接数会减1。测试的时候改成一个大文件就可以看出来效果。本地测试 10M的文件的并发传输可以看出来生效了。 Transactions: 9 hits Availability: 45.00 % Elapsed time: 0.79 secs Data transferred: 90.01 MB Response time: 0.05 secs Transaction rate: 11.39 trans/sec Throughput: 113.93 MB/sec Concurrency: 0.61 Successful transactions: 9 Failed transactions: 11 Longest transaction: 0.04 Shortest transaction: 0.00

dengqian

1

@maronggang 逻辑是没有关系的,具体原因就不清楚了

dengqian

6

感觉哪里不对,Nginx的配置是不区分大小文件的,Tengine必须要大文件的时候才能看出效果吗?网络请求中并发的概念应该与文件大小并无关系啊。

zhangdongyux

2

并发的概念当然不区分大文件小文件,只是说测试的时候不一定能做到真的并发。你可以打开debug日志看一下,请求结束时会有 limit conn cleanup日志,上一个请求完处理之后才开始接收到下一个请求。说明请求生存周期没有重合,limit_conn也就当然不起作用。

dengqian

4

最新版本我们已经merge nginx-1.15.9,并且对limit req合并了官方诸多fix

各位Tengine使用者你们好!我们近期合并了Nginx官方1.15.9版本代码到Tengine master分支,大家可以先尝鲜使用master分支代码做测试(若上生产使用请一定要做好灰度验证、并阅读相关注意列表)。同时我们最近也会正式发布Tengine-2.3.x版本,欢迎大家使用,如有任何问题请随时反馈,谢谢。

警告

本次Tengine升级core代码到官方Nginx 1.15.9版本,由于其部分功能Nginx官方当前已经具备、所以本次直接弃用Tengine自身实现的部分配置指令,具体不兼容列表如下:

  • 1、废弃Tengine自身实现的reuse_port指令,使用Nginx官方的reuseport。升级方法:将events配置块里面的reuse_port on|off注释掉,在对应的监听端口后面加reuseport参数、详细参考文档
  • 2、废弃Tengine的dso_tool工具以及dso配置指令,若之前有使用Tengine的dso功能、则可以切换到Nginx官方的load_module指令,详细文档参考1参考2
  • 3、移除Tengine加强版slice模块到modules、默认使用Nginx官方slice功能,如果依然需要使用Tengine的slice则编译slice时请使用 --add-module=modules/ngx_http_slice_module,否则使用 --with-http_slice_module 编译参数
  • 4、Tengine自身实现的模块,当前全部剥离到modules目录下,如果需要使用那个模块、则使用--add-module=modules/xxx_module_name的方式进行编译
  • 5、limit_req的请求计数逻辑和官方保持一致,去除limit_req_zone中任何一个变量值为空跳过请求计数的逻辑

chobits