接着上篇文章 https://www.cnblogs.com/mxmbk/p/9569438.html
IP访问限制和黑白名单如何做,需要解决以下几个问题:
1、如何识别正常访问和异常访问?(一段时间同一接口访问次数太多?高峰期和低峰期是否不同?)
2、IP访问异常后拒绝策略是什么?(一段时间访问访问异常接口不能访问?高峰期和低峰期是否不同?)
3、是否不同业务的识别方法和拒绝策略不一样?(有些接口访问频率高,有些访问频率低?)
4、有些业务是否之后IP在白名单中才能访问?(只对第三方提供的接口?)
5、IP访问异常的通知?(请求被识别为异常是否通知到服务维护人员?)
先提出问题,在想解决方案,第一版的简单基于Spring cloud zuul的实现方案如下:
具体实现(基于ZuulFilter的实现):
package com.brightcns.wuxi.citizencard.zuulserver.filter; import com.alibaba.fastjson.JSONObject;
import com.brightcns.wuxi.citizencard.common.feature.exception.SystemException;
import com.brightcns.wuxi.citizencard.common.feature.util.IPUtils;
import com.brightcns.wuxi.citizencard.common.feature.util.MD5Utils;
import com.brightcns.wuxi.citizencard.zuulserver.constants.properties.IPLimitProperty;
import com.brightcns.wuxi.citizencard.zuulserver.limit.AbstractIPLimitStrategy;
import com.brightcns.wuxi.citizencard.zuulserver.limit.IPLimitFactory;
import com.google.common.collect.Lists;
import com.netflix.zuul.ZuulFilter;
import com.netflix.zuul.context.RequestContext;
import lombok.extern.slf4j.Slf4j;
import org.springframework.cloud.netflix.zuul.filters.support.FilterConstants;
import javax.servlet.http.HttpServletRequest;
import java.util.List;
import static com.brightcns.wuxi.citizencard.order.constants.enums.ZuulErrorCode.IP_LIMIT; /**
* @author maxianming
* @date 2018/8/31 10:25
*/
@Slf4j
public class IPLimitFilter extends ZuulFilter {
// 白名单URI
private List<String> excludeUrl = Lists.newArrayList("/health","/info");
// 响应类型
public final String JSON_TYPE = "application/json;charset=UTF-8"; @Override
public String filterType() {
return FilterConstants.PRE_TYPE;
} @Override
public int filterOrder() {
return 0;
} @Override
public boolean shouldFilter() {
RequestContext context = RequestContext.getCurrentContext();
HttpServletRequest request = context.getRequest();
String requestUri = request.getRequestURI();
if (excludeUrl.contains(requestUri)) {
return false;
}
return true;
} @Override
public Object run() {
RequestContext context = RequestContext.getCurrentContext();
HttpServletRequest request = context.getRequest();
String requestIp = IPUtils.getIpAddress(request);
String requestUri = request.getRequestURI();
log.info("网关接受requestIp:[{}], requestUri:[{}]请求", requestIp, requestUri);
try {
AbstractIPLimitStrategy ipLimitStrategy = IPLimitFactory.getIPLimitStragy();
boolean result = ipLimitStrategy.isIPLimit(requestIp, requestUri);
if (result) {
log.info("requestIp:{},requestUri:{}访问限制", requestIp, requestUri);
context.setSendZuulResponse(false);
context.setResponseStatusCode(200);
context.setResponseBody(IP_LIMIT.getCode() + ":" + IP_LIMIT.getMsg());
context.getResponse().setContentType(JSON_TYPE);
}
} catch (Exception e) {
log.error("IP限制异常", e);
}
return null;
} }
1、基于ZuulFilter的简单实现,ZuulFilter的使用可以自行百度,可参考 https://blog.****.net/dream_broken/article/details/77197585
2、63-66行代码 主要是Filter不继续执行其他Filter,响应JSON给调用端
3、59行和60行重点主要采用了策略模式(黑天和白天不同策略)涉及敏感信息 只表明思路
具体思路:
- 采用redis incby 和 expire进行访问次数的统计和有效期的设置
- redis key的生成规则: PREFIX:IP:MD5(uri)
- 黑名单暂时配置文件中配置