为了防止网站意外暴增的流量比如活动、秒杀、攻击等,导致整个系统瘫痪,在前后端接口服务处进行流量限制是非常有必要的。本篇主要介绍下Net限流框架WebApiThrottle的使用。
WebApiThrottle是一个专门为webApi限制请求频率而设计的,支持寄宿OWIN上的中间件的限制过滤。服务端接口可以基于客户端请求IP地址、客户端请求key、及请求路由去限制webapi接口的访问频率。
下面的代码是限制来自同IP请求的最大次数。如果在一分钟内,同样IP的客户端分别调用api/values和api/values/1两个接口, 那么调用api/values/1的请求会被拒绝掉。
IP和客户端key自定义限制频率
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.MessageHandlers.Add(new ThrottlingHandler()
{
Policy = new ThrottlePolicy(perSecond: , perMinute: , perHour: , perDay: , perWeek: )
{
IpThrottling = true
},
Repository = new CacheRepository()
});
}
}
config.MessageHandlers.Add(new ThrottlingHandler()
{
Policy = new ThrottlePolicy(perSecond: , perMinute: , perHour: , perDay: )
{
IpThrottling = true,
IpRules = new Dictionary<string, RateLimits>
{
{ "192.168.1.1", new RateLimits { PerSecond = } },
{ "192.168.2.0/24", new RateLimits { PerMinute = , PerHour = *, PerDay = ** } }
}, ClientThrottling = true,
ClientRules = new Dictionary<string, RateLimits>
{
{ "api-client-key-1", new RateLimits { PerMinute = , PerHour = } },
{ "api-client-key-9", new RateLimits { PerDay = } }
}
},
Repository = new CacheRepository()
});
用ThrottlingFilter、EnableThrottlingAttribute特性配置限制频率
EnableThrottling与ThrottlingHandler是一个二选一的策略配置方案,二者会做同样的事情,但ThrottlingHandler可以通过EnableThrottlingAttribute特性指定某个webapi的controllers和actions去自定义频率限制。需要注意的是,在webapi请求管道中,ThrottlingHandler是在controller前面执行,因此在你不需要ThrottlingFilter提供的功能时,可以用ThrottlingHandler去直接替代它。
设置ThrottlingFilter过滤器的步骤,跟ThrottlingHandler类似
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API 配置和服务 config.SuppressDefaultHostAuthentication(); config.Filters.Add(new CustomerThrottlingFilter()
{
Policy = new ThrottlePolicy(perMinute: )
{
//scope to IPs
IpThrottling = false, //scope to clients (if IP throttling is applied then the scope becomes a combination of IP and client key)
ClientThrottling = true, //white list API keys that don’t require throttling
ClientWhitelist = new List<string> { "admin-ll" }, //Endpoint rate limits will be loaded from EnableThrottling attribute
EndpointThrottling = true
}
}); }
}
获取API的客户端key
默认情况下,WebApiThrottle的ThrottlingHandler(限流处理器)会从客户端请求head里通过Authorization-Token key取值。如果你的API key存储在不同的地方,你可以重写ThrottlingHandler.SetIndentity方法,指定你自己的取值策略。
public class CustomThrottlingHandler : ThrottlingHandler
{
protected override RequestIdentity SetIndentity(HttpRequestMessage request)
{
return new RequestIdentity()
{
ClientKey = request.Headers.Contains("Authorization-Key") ? request.Headers.GetValues("Authorization-Key").First() : "anon",
ClientIp = base.GetClientIp(request).ToString(),
Endpoint = request.RequestUri.AbsolutePath.ToLowerInvariant()
};
}
}