问题描述
我正在尝试为Kubernetes ingress-nginx中的特定路径设置速率限制选项limit_req,以防止强行认证.
I'm trying to setup rate limiting option limit_req for specific path in Kubernetes ingress-nginx to prevent brute-forcing authentication.
我已经使用ConfigMap定义了limit_req_zone:
I've defined limit_req_zone using ConfigMap:
http-snippet: |
limit_req_zone $the_real_ip zone=authentication_ratelimit:10m rate=1r/s;
接下来,我正在使用注释添加自定义位置块:
Next, I'm using annotation to add a custom location block:
nginx.ingress.kubernetes.io/configuration-snippet: |
location ~* "^/authenticate$" {
limit_req zone=authentication_ratelimit nodelay;
more_set_headers "x-test: matched";
}
这将生成nginx.conf:
This produces nginx.conf:
server {
# - - 8< - -
location / {
# - - 8< - -
location ~* "^/authenticate$" {
limit_req zone=authentication_ratelimit nodelay;
more_set_headers "x-test: matched";
}
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
结果是/authenticate始终返回HTTP 503(带有x-test标头).来自入口访问日志的消息:
The result is that /authenticate always returns HTTP 503 (with x-test header). Message from ingress access logs:
<ip> - [<ip>] - - [04/Jan/2019:15:22:07 +0000] "POST /authenticate HTTP/2.0" 503 197 "-" "curl/7.54.0" 172 0.000 [-] - - - - 1a63c9825c9795be1378b2547e29992d
我怀疑这可能是由于嵌套位置块和proxy_pass之间的冲突引起的(但这只是一个疯狂的猜测).
I suspect this might be because of conflict between nested location block and proxy_pass (but this is just a wild guess).
我还尝试了哪些其他选择?
What other options have I tried?
- 使用
server-snippet注释而不是configuration-snippet-/authenticate返回404,因为未配置proxy_pass - 使用
nginx.ingress.kubernetes.io/limit-rpm注释-强制对整个应用程序进行速率限制,这不是我想要的.
- use
server-snippetannotation instead ofconfiguration-snippet-/authenticatereturns 404 becauseproxy_passis not configured - use
nginx.ingress.kubernetes.io/limit-rpmannotation - forces ratelimit on whole application which is not what I want.
问题是为什么自定义位置块会以503响应?我该如何调试?增加nginx日志记录级别是否会提供有关503的更多详细信息?或更笼统的问题:我可以在ingress-nginx中注入自定义位置块吗?
Question is why custom location block responds with 503? How can I debug this? Will increasing nginx logging level give more details about 503?Or more general question: can I inject custom location blocks in ingress-nginx?
推荐答案
这可以通过使用地图以及键值为空的请求将不被考虑.
This can be done by using map and that fact that Requests with an empty key value are not accounted.
http-snippets: |
map $uri $with_limit_req {
default 0;
"~*^/authenticate$" 1;
}
map $with_limit_req $auth_limit_req_key {
default '';
'1' $binary_remote_addr; # the limit key
}
limit_req_zone $auth_limit_req_key zone=authentication_ratelimit:10m rate=1r/s;
并使用注释添加自定义位置块:
And use annotation to add a custom location block:
nginx.ingress.kubernetes.io/configuration-snippet: |
limit_req zone=authentication_ratelimit nodelay;
或者如果您使用来自nginxinc的入口
Or if you use ingress from nginxinc
nginx.org/location-snippets:
limit_req zone=authentication_ratelimit nodelay;
在这种情况下,检查是否需要在地图级别对请求进行限速处理.
in this case check if requests need to be ratelimited processed on map level.
我的观点是:最好将应用程序级别的请求限制为好像您对入口级别进行了速率限制一样,这取决于入口容器的数量.
And my opinion: better to limit requests on app level as if you made rate limit on ingress level, it depends on count of ingress pods.
这篇关于为Nginx Ingress中的特定位置设置limit_req的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!