如何对托管在Cloud Run上的Golang服务器进行速率限制?

huangapple go评论89阅读模式
英文:

How do you rate limit a Golang server hosted on Cloud Run?

问题

由于Cloud Run是“无状态”的,我假设状态在请求之间不会持续存在,所以创建一个IP地址映射表是行不通的。或者类似于limiter这样的工具可以起作用吗?

英文:

Since Cloud run is "stateless", I'm assuming state doesn't persist between requests, so creating a map of ip addresses would not work. Or would something like limiter work?

答案1

得分: 1

一个请求由一个请求处理程序处理,该处理程序具有请求范围,而您的限制器具有全局范围。

让我用一些代码来说明。我们有请求范围的变量i和全局范围的变量j。此外,我们还有一个全局限制器。

因此,限制器和j只有一个实例,但对于每个请求,都会创建一个名为i的变量,并且该变量对于该请求是唯一的。

package main

import (
	"flag"
	"fmt"
	"log"
	"net/http"
	"sync/atomic"
	"time"

	"github.com/ulule/limiter/v3"
	"github.com/ulule/limiter/v3/drivers/middleware/stdlib"
	"github.com/ulule/limiter/v3/drivers/store/memory"
)

var bind string

func init() {
	// 将绑定地址设置为可配置
	flag.StringVar(&bind, "bind", ":9090", "address to bind to")
}

func main() {
	flag.Parse()

	// 您想要使用的速率
	// 我们在这里使用不寻常的值进行测试
	rate := limiter.Rate{
		Period: 5 * time.Second,
		Limit:  1,
	}

	// 我们使用内存存储器是为了简单起见。
	// 此外,作为一种安全措施,持久性可能会引入
	// 不必要的复杂性以及攻击点本身
	// 通过过载持久性机制。
	l := limiter.New(memory.NewStore(), rate)

	middleware := stdlib.NewMiddleware(l)

	// 为了进一步澄清,我们添加了一个全局范围的计数器
	var j uint64

	// 我们告诉http服务器接收/hello的请求...
	http.Handle("/hello",
		// 将它们通过全局范围的中间件
		// 它将强制执行速率限制并...
		middleware.Handler(

			// 如果未达到限制,则执行实际的http.Handler。
			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

				// 请求范围...
				var i int
				// 所以在递增后,i将始终为1
				i++

				// 但我们也递增了全局范围的j。
				// 由于多个goroutine可能同时访问j,我们需要
				// 采取原子操作的预防措施。
				atomic.AddUint64(&j, 1)

				w.Write([]byte(
					fmt.Sprintf("Hello, world!\nrequest scoped i: %d, global scoped j:%d\n", i, atomic.LoadUint64(&j)))))
			)))

	// 最后但并非最不重要的是,我们启动服务器
	log.Printf("Starting server bound to '%s'", bind)
	log.Fatal(http.ListenAndServe(bind, nil))
}

现在,当我们运行此代码并使用curl调用URL时,我们会得到一个响应(限制没有生效),并且ij都具有值1。

$ curl -iv --no-keepalive http://localhost:9090/hello
*   Trying ::1:9090...
* Connected to localhost (::1) port 9090 (#0)
> GET /hello HTTP/1.1
> Host: localhost:9090
> User-Agent: curl/7.69.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< X-Ratelimit-Limit: 1
X-Ratelimit-Limit: 1
< X-Ratelimit-Remaining: 0
X-Ratelimit-Remaining: 0
< X-Ratelimit-Reset: 1588596822
X-Ratelimit-Reset: 1588596822
< Date: Mon, 04 May 2020 12:53:37 GMT
Date: Mon, 04 May 2020 12:53:37 GMT
< Content-Length: 53
Content-Length: 53
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

< 
Hello, world!
request scoped i: 1, global scoped j:1
* Connection #0 to host localhost left intact

如果我们在5秒内再次调用URL,速率限制器将生效,并拒绝我们的访问:

$ curl -iv --no-keepalive http://localhost:9090/hello
*   Trying ::1:9090...
* Connected to localhost (::1) port 9090 (#0)
> GET /hello HTTP/1.1
> Host: localhost:9090
> User-Agent: curl/7.69.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 429 Too Many Requests
HTTP/1.1 429 Too Many Requests
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-Ratelimit-Limit: 1
X-Ratelimit-Limit: 1
< X-Ratelimit-Remaining: 0
X-Ratelimit-Remaining: 0
< X-Ratelimit-Reset: 1588596822
X-Ratelimit-Reset: 1588596822
< Date: Mon, 04 May 2020 12:53:38 GMT
Date: Mon, 04 May 2020 12:53:38 GMT
< Content-Length: 15
Content-Length: 15

< 
Limit exceeded
* Connection #0 to host localhost left intact

并且,在等待几秒钟后,我们再次调用URL,全局范围的变量递增,而请求范围的变量再次为1:

$ curl -iv --no-keepalive http://localhost:9090/hello
*   Trying ::1:9090...
* Connected to localhost (::1) port 9090 (#0)
> GET /hello HTTP/1.1
> Host: localhost:9090
> User-Agent: curl/7.69.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< X-Ratelimit-Limit: 1
X-Ratelimit-Limit: 1
< X-Ratelimit-Remaining: 0
X-Ratelimit-Remaining: 0
< X-Ratelimit-Reset: 1588596884
X-Ratelimit-Reset: 1588596884
< Date: Mon, 04 May 2020 12:54:39 GMT
Date: Mon, 04 May 2020 12:54:39 GMT
< Content-Length: 53
Content-Length: 53
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

< 
Hello, world!
request scoped i: 1, global scoped j:2
* Connection #0 to host localhost left intact
英文:

A request is handled by a request handler which is request scoped, whereas your limiter has a global scope.

Let me illustrate that with some code. We have the request scoped variable i and
the globally scoped variable j. Furthermore, we have a global limiter.

So there is exactly one instance of the limiter and j, but for reach request a variable named i is created and distinct for that request.

package main

import (
	&quot;flag&quot;
	&quot;fmt&quot;
	&quot;log&quot;
	&quot;net/http&quot;
	&quot;sync/atomic&quot;
	&quot;time&quot;

	&quot;github.com/ulule/limiter/v3&quot;
	&quot;github.com/ulule/limiter/v3/drivers/middleware/stdlib&quot;
	&quot;github.com/ulule/limiter/v3/drivers/store/memory&quot;
)

var bind string

func init() {
	// Make the bind address configurable
	flag.StringVar(&amp;bind, &quot;bind&quot;, &quot;:9090&quot;, &quot;address to bind to&quot;)
}

func main() {
	flag.Parse()

	// The rate you want to employ
	// We use unusual values here for testing purposes
	rate := limiter.Rate{
		Period: 5 * time.Second,
		Limit:  1,
	}

	// We use an in-memory store for the sake of simplicity.
	// Furthermore, as a security measure, persistence might introduce
	// an unneccessary complexity as well as a point of attack itself
	// by overloading the persistence mechanism.
	l := limiter.New(memory.NewStore(), rate)

	middleware := stdlib.NewMiddleware(l)

	// for further clarification, we add a globally scoped counter
	var j uint64

	// We tell the http server to take requests to /hello...
	http.Handle(&quot;/hello&quot;,
		// put them through or globally scoped middleware
		// which will enfore the rate limit and...
		middleware.Handler(

			// executes the actual http.Handler if the limit is not reached.
			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

				// request scoped...
				var i int
				// so i will always be 1 after increment
				i++

				// But we also increment our globally scoped j.
				// Since multiple goroutines might access j simultaneously, we need
				// to take the precaution of an atomic operation.
				atomic.AddUint64(&amp;j, 1)

				w.Write([]byte(
					fmt.Sprintf(&quot;Hello, world!\nrequest scoped i: %d, global scoped j:%d\n&quot;, i, atomic.LoadUint64(&amp;j))))
			})))

	// Last but not least we start the server
	log.Printf(&quot;Starting server bound to &#39;%s&#39;&quot;, bind)
	log.Fatal(http.ListenAndServe(bind, nil))
}

Now, when we run this code and call the URL with curl, we get a response (limit did not kick in) and both i and j have a value of 1.

$ curl -iv --no-keepalive http://localhost:9090/hello
*   Trying ::1:9090...
* Connected to localhost (::1) port 9090 (#0)
&gt; GET /hello HTTP/1.1
&gt; Host: localhost:9090
&gt; User-Agent: curl/7.69.1
&gt; Accept: */*
&gt; 
* Mark bundle as not supporting multiuse
&lt; HTTP/1.1 200 OK
HTTP/1.1 200 OK
&lt; X-Ratelimit-Limit: 1
X-Ratelimit-Limit: 1
&lt; X-Ratelimit-Remaining: 0
X-Ratelimit-Remaining: 0
&lt; X-Ratelimit-Reset: 1588596822
X-Ratelimit-Reset: 1588596822
&lt; Date: Mon, 04 May 2020 12:53:37 GMT
Date: Mon, 04 May 2020 12:53:37 GMT
&lt; Content-Length: 53
Content-Length: 53
&lt; Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

&lt; 
Hello, world!
request scoped i: 1, global scoped j:1
* Connection #0 to host localhost left intact

If we call the URL again within 5 seconds, the rate limiter kicks in, and denies us access:

$ curl -iv --no-keepalive http://localhost:9090/hello
*   Trying ::1:9090...
* Connected to localhost (::1) port 9090 (#0)
&gt; GET /hello HTTP/1.1
&gt; Host: localhost:9090
&gt; User-Agent: curl/7.69.1
&gt; Accept: */*
&gt; 
* Mark bundle as not supporting multiuse
&lt; HTTP/1.1 429 Too Many Requests
HTTP/1.1 429 Too Many Requests
&lt; Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
&lt; X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
&lt; X-Ratelimit-Limit: 1
X-Ratelimit-Limit: 1
&lt; X-Ratelimit-Remaining: 0
X-Ratelimit-Remaining: 0
&lt; X-Ratelimit-Reset: 1588596822
X-Ratelimit-Reset: 1588596822
&lt; Date: Mon, 04 May 2020 12:53:38 GMT
Date: Mon, 04 May 2020 12:53:38 GMT
&lt; Content-Length: 15
Content-Length: 15

&lt; 
Limit exceeded
* Connection #0 to host localhost left intact

And, after several seconds of waiting, we call the URL again, the globally scoped variable increments, whereas the request scoped variable again is 1:

$ curl -iv --no-keepalive http://localhost:9090/hello
*   Trying ::1:9090...
* Connected to localhost (::1) port 9090 (#0)
&gt; GET /hello HTTP/1.1
&gt; Host: localhost:9090
&gt; User-Agent: curl/7.69.1
&gt; Accept: */*
&gt; 
* Mark bundle as not supporting multiuse
&lt; HTTP/1.1 200 OK
HTTP/1.1 200 OK
&lt; X-Ratelimit-Limit: 1
X-Ratelimit-Limit: 1
&lt; X-Ratelimit-Remaining: 0
X-Ratelimit-Remaining: 0
&lt; X-Ratelimit-Reset: 1588596884
X-Ratelimit-Reset: 1588596884
&lt; Date: Mon, 04 May 2020 12:54:39 GMT
Date: Mon, 04 May 2020 12:54:39 GMT
&lt; Content-Length: 53
Content-Length: 53
&lt; Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

&lt; 
Hello, world!
request scoped i: 1, global scoped j:2
* Connection #0 to host localhost left intac

huangapple
  • 本文由 发表于 2020年5月4日 08:39:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/61583486.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定