两种办法
1.设置nginx获取客户最终地址,参考http://hzcsky.blog.51cto.com/1560073/1625354
完整配置事例:
## 具体服务器配置
http{
map $http_x_forwarded_for $limit {
"" $remote_addr;
~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;
}
# map $white_ip $limit {
# 1 $clientRealIp;
# 0 "";
# }
limit_req_zone $limit zone=tlcy_com:10m rate=5r/s;
limit_req_log_level info;
limit_conn_zone $limit zone=addr:10m;
limit_conn_log_level info;
server
{
listen 80;
server_name www.hzcsky.com;
if ($http_user_agent ~* LWP::Simple|BBBike|wget|Sosospider|YodaoBot) {
return 403;
}
## root /data/www/;
## index hou.txt;
location /mp4/
{
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
}
location / {
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_pass http://tlcy;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
allow all;
}
## 最多 5 个排队, 由于每秒处理 10 个请求 + 5个排队,你一秒最多发送 15 个请求过来,
再多就直接返回 503 错误给你了
limit_req zone=tlcy_com burst=5 nodelay;
limit_conn addr 10;
location ~* \.(gif|jpg|png|swf|flv)$ {
valid_referers none blocked www.hzcsky.com ;
if ($invalid_referer) {
rewrite ^/ http://www.hzcsky.com/403.html;
#return 404;
}
}
}
2.设置nginx客户端为cdn地址,从cdn那边获取cdn节点ip,设置白名单
参考http://www.ttlsa.com/nginx/nginx-speed-white-list-configuration/
http {
geo $whiteiplist {
default 1;
127.0.0.1 0;
10.0.0.0/8 0;
121.207.242.0/24 0;
}
map $whiteiplist $limit {
1 $binary_remote_addr;
0 "";
}
limit_conn_zone $limit zone=limit:10m;
server {
listen 8080;
server_name test.ttlsa.com;
location ^~ /ttlsa.com/ {
limit_conn limit 4;
limit_rate 200k;
alias /data/www.ttlsa.com/data/download/;
}
}
}