I have a Perl-based CGI/Fast CGI web service and want to rate-limit clients by IP address to stop aggressive clients causing too much work.
我有一个基于Perl的CGI /快速CGI Web服务,并希望通过IP地址对客户端进行速率限制,以阻止侵略性客户端造成太多工作。
I have looked around for some code and found Algorithm::TokenBucket in CPAN but that is for client requests; it has no persistence and has no per-user config so is not really useful for server-side rate limiting.
我查看了一些代码并在CPAN中找到了Algorithm :: TokenBucket,但这是针对客户端请求的;它没有持久性,没有每用户配置,因此对服务器端速率限制没有用。
I am looking for suggestions for something that already exists, otherwise I'll need to roll my own based on some simple persistence such as tie to DB_File per-IP address and some batch job that does the token management.
我正在寻找已经存在的东西的建议,否则我需要基于一些简单的持久性来推销我自己的东西,例如绑定到DB_File每IP地址和一些执行令牌管理的批处理作业。
2 个解决方案
#1
I've used Cache::FastMmap for rate-limiting by tracking hits per IP address. It's a cache so data will expire over time, but if you set the size and expire time right, this shouldn't be an issue.
我已经使用Cache :: FastMmap通过跟踪每个IP地址的命中率来限制速率。它是一个缓存,因此数据会随着时间的推移而过期,但如果您设置了大小和到期时间,这应该不是问题。
The IP address is the hash key and the hash value is an array of timestamps. I have a second data structure (also backed by Cache::FastMMap) which is a hash of banned IP addresses, updated according to the data from the first structure.
IP地址是散列键,散列值是时间戳数组。我有第二个数据结构(也由Cache :: FastMMap支持),它是一个禁止IP地址的哈希,根据第一个结构的数据更新。
#2
I know it's not what you asked, but have you considered handling this elsewhere in the stack where it's already been done for you? Clearly I don't know your deployment stack, but if it's apache you could use mod_evasive. Alternately if you're on Linux you could let iptables do its job using something like:
我知道这不是你问的问题,但你有没有考虑过在堆栈的其他地方处理它已经为你完成了?显然我不知道你的部署堆栈,但如果它是apache你可以使用mod_evasive。或者,如果你在Linux上,你可以让iptables使用类似的东西来完成它的工作:
#Allow only 12 connections per IP
/sbin/iptables -A INPUT -p tcp --dport 80 -m conn-limit --connlimit-above 12 -j REJECT --reject-with tcp-reset
certainly more complicated rules are possible.
当然,更复杂的规则是可能的。
#1
I've used Cache::FastMmap for rate-limiting by tracking hits per IP address. It's a cache so data will expire over time, but if you set the size and expire time right, this shouldn't be an issue.
我已经使用Cache :: FastMmap通过跟踪每个IP地址的命中率来限制速率。它是一个缓存,因此数据会随着时间的推移而过期,但如果您设置了大小和到期时间,这应该不是问题。
The IP address is the hash key and the hash value is an array of timestamps. I have a second data structure (also backed by Cache::FastMMap) which is a hash of banned IP addresses, updated according to the data from the first structure.
IP地址是散列键,散列值是时间戳数组。我有第二个数据结构(也由Cache :: FastMMap支持),它是一个禁止IP地址的哈希,根据第一个结构的数据更新。
#2
I know it's not what you asked, but have you considered handling this elsewhere in the stack where it's already been done for you? Clearly I don't know your deployment stack, but if it's apache you could use mod_evasive. Alternately if you're on Linux you could let iptables do its job using something like:
我知道这不是你问的问题,但你有没有考虑过在堆栈的其他地方处理它已经为你完成了?显然我不知道你的部署堆栈,但如果它是apache你可以使用mod_evasive。或者,如果你在Linux上,你可以让iptables使用类似的东西来完成它的工作:
#Allow only 12 connections per IP
/sbin/iptables -A INPUT -p tcp --dport 80 -m conn-limit --connlimit-above 12 -j REJECT --reject-with tcp-reset
certainly more complicated rules are possible.
当然,更复杂的规则是可能的。