当前位置: 文江博客话题详情

根据ip限制页面访问次数

发布于 2024-12-29 19:45:09 字数 191 浏览 0 评论 0原文

我想知道如何防止单个 IP 地址占用过多带宽并快速访问我的网页。也就是说,检查用户的 IP 地址(我认为 $_SERVER['REMOTE_ADDR']?),检查该用户的最新访问,计算时间差,如果间隔很短则阻止渲染页面。我说得对吗?如果是这样,我怎样才能做到这一点而不消耗服务器上太多的资源和/或时间?如果有数据库的方法,是不是会导致锁太多?

原文

I wanted to know how can I prevent a single ip address from using too much bandwidth and rapidly access my webpages. That is, checking the user's ip address (I think $_SERVER['REMOTE_ADDR']?), check for latest visit from this user, compute time difference and block rendering the page if the interval is short. Am I right? If so, how can I do it without consuming too much resource and/or time on the server? If there is a database approach, isn't it going cause too many locks?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

可是我不能没有你 2025-01-05 19:45:09

最好的方法取决于您想要阻止的人。如果是真正的用户不断刷新页面,那么(a)您真的想阻止他们吗?他们是您的用户!?,(b)您可以使用基于会话的方法来避免数据库命中。如果是机器人,那么您不能依赖会话(因为它们可能不会发送会话标头,或者它们当前可能发送会话标头,但它们是会绕过它的恶意机器人)。

如果是真正的用户,那么假设您可以设置会话 cookie,您会想要这样的东西:

<?php
$min_seconds_between_refreshes = 3;

session_start();

if(array_key_exists('last_access', $_SESSION) && time()-$min_seconds_between_refreshes <= $_SESSION['last_access']) {
  // The user has been here at least $min_seconds_between_refreshes seconds ago - block them
  exit('You are refreshing too quickly, please wait a few seconds and try again.');
}
// Record now as their last access time
$_SESSION['last_access'] = time();
?>

如果是机器人,那么您可能会实现具有类似逻辑的基于数据库的解决方案。

事实上,这两种情况的正确解决方案可能是在应用程序服务器前面放置一个缓存代理服务器。这将减少主应用程序服务器上的负载,并且意味着您不必太担心此类情况。

The best approach depends on who you're trying to block. If it's genuine users who are constantly refreshing the page, then (a) do you really want to block them - they're your users!?, and (b) You can use a session-based approach to avoid DB hits. If it's bots then you can't rely on sessions (because they may not be sending the session headers, or they may be currently but are malicious bots who will get around it).

If it is genuine users, then assuming you're OK with setting session cookies, you'll want something like this:

<?php
$min_seconds_between_refreshes = 3;

session_start();

if(array_key_exists('last_access', $_SESSION) && time()-$min_seconds_between_refreshes <= $_SESSION['last_access']) {
  // The user has been here at least $min_seconds_between_refreshes seconds ago - block them
  exit('You are refreshing too quickly, please wait a few seconds and try again.');
}
// Record now as their last access time
$_SESSION['last_access'] = time();
?>

If it's bots then you'll probably implement a database-based solution with similar logic.

In fact the correct solution in both cases is probably a caching proxy server in front of your application server. This will reduce load on your main app server and mean you won't have to worry so much about situations like this.

回复 原文
弄潮 2025-01-05 19:45:09

Apache mod_bandwidth 允许控制某些 IP

,即 BandWidth;

https://httpd.apache.org/文档/trunk/mod/mod_ratelimit.html

Apache mod_bandwidth allows to control certain IPs

i.e. BandWidth <domain|ip|all> <rate>

https://httpd.apache.org/docs/trunk/mod/mod_ratelimit.html

回复 原文
婴鹅 2025-01-05 19:45:09

这是使用 Memcache 的洪水检测代码。如果用户在一分钟内访问超过 50 次,他就会被屏蔽 300 秒。远程地址用于识别客户端。

<?php 

$limit = 50; 
$seconds = 60;  
$block_for_seconds = 300;

$status = 'OK';

$memcache = new Memcache;
$memcache->connect('localhost', 11211);

$ip = $_SERVER['REMOTE_ADDR'];

$r = $memcache->get($ip, array('c', 't'));

$c = 1; // count
$init_time = time();
if($r) {
  $s = $r[3]; // status
  $c = $r[0]+1;
  $init_time = $r[1];
  if($s == 'TOO_MANY_REQUESTS') {
    $d = time()-$r[1]; // time since block
    if($block_for_seconds-$d > 0) {  // still blocked
      die('Flood detected!! You are going to wait '.($block_for_seconds-$d).' and try again.');
    } else {  // block is over
      $status = 'OK';
      $init_time = time();
      $c = 0;
    }
  }

  $new_time = time();
  if($c > $limit) {  // check if happened within a minute
    $time_elapsed = $new_time - $init_time;
    if($time_elapsed < $seconds) {  
      $status = 'TOO_MANY_REQUESTS'; 
    }
    print "time elapsed: $time_elapsed, count:$c";
    $c = 0;
    $init_time = time();
  }
}
print_r($r);
$memcache->set($ip, array($c, $init_time, $new_time, $status) );
?>

Here is the flood detection code that uses Memcache. If the user exceeds 50 visits within a minute, he's blokcked for 300 seconds. Remote address is used to identify the client.

<?php 

$limit = 50; 
$seconds = 60;  
$block_for_seconds = 300;

$status = 'OK';

$memcache = new Memcache;
$memcache->connect('localhost', 11211);

$ip = $_SERVER['REMOTE_ADDR'];

$r = $memcache->get($ip, array('c', 't'));

$c = 1; // count
$init_time = time();
if($r) {
  $s = $r[3]; // status
  $c = $r[0]+1;
  $init_time = $r[1];
  if($s == 'TOO_MANY_REQUESTS') {
    $d = time()-$r[1]; // time since block
    if($block_for_seconds-$d > 0) {  // still blocked
      die('Flood detected!! You are going to wait '.($block_for_seconds-$d).' and try again.');
    } else {  // block is over
      $status = 'OK';
      $init_time = time();
      $c = 0;
    }
  }

  $new_time = time();
  if($c > $limit) {  // check if happened within a minute
    $time_elapsed = $new_time - $init_time;
    if($time_elapsed < $seconds) {  
      $status = 'TOO_MANY_REQUESTS'; 
    }
    print "time elapsed: $time_elapsed, count:$c";
    $c = 0;
    $init_time = time();
  }
}
print_r($r);
$memcache->set($ip, array($c, $init_time, $new_time, $status) );
?>
回复 原文
~没有更多了~

关于作者

风蛊

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

jsonder

文章 0 评论 0

給妳壹絲溫柔

文章 0 评论 0

北笙凉宸

文章 0 评论 0

国产ˉ祖宗

文章 0 评论 0

月下客

文章 0 评论 0

梦行七里

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文