Web安全 之 限流

本文示例基于Laravel框架 代码参考security-rate-limiting

目录

• 开始

• Controller

• Route

• Throttle

• HTTP

开始

composer create-project laravel/laravel security-rate-limiting --prefer-dist "5.5.*"

# cd security-rate-limiting
vim composer.json

# add dingo/api to require
"dingo/api": "2.0.0-alpha1"

composer update

php artisan vendor:publish --provider="Dingo\Api\Provider\LaravelServiceProvider"

vim .env

# add api config to .env
API_STANDARDS_TREE=prs
API_SUBTYPE=queue
API_PREFIX=api
API_VERSION=v1
API_DEBUG=true

Controller

php artisan make:controller Api/VerificationCodesController

vim app/Http/Controllers/Api/VerificationCodesController.php

<?php

namespace App\Http\Controllers\Api;

use App\Http\Controllers\Controller;
use Dingo\Api\Routing\Helpers;

class VerificationCodesController extends Controller
{
    use Helpers;

    public function store()
    {
        return $this->response->array(['send-sms'=>'code: 4762']);
    }
}

Route

vim routes/api.php

<?php

$api = app('Dingo\Api\Routing\Router');

$api->version('v1', [
    'namespace' => 'App\Http\Controllers\Api'
],function($api) {
    $api->post('verificationCodes', 'VerificationCodesController@store')
        ->name('api. verificationCodes.store');
});

• 测试

php artisan serve

curl -X POST localhost:8000/api/verificationCodes | json

{
  "send-sms": "code: 4762"
}

Throttle

vim routes/api.php

<?php

$api = app('Dingo\Api\Routing\Router');

$api->version('v1', [
    'namespace' => 'App\Http\Controllers\Api'
],function($api) {
    $api->group([
        'middleware' => 'api.throttle',
        'limit' => 1,
        'expires' => 1, # 1 minute
    ], function($api) {
        $api->post('verificationCodes', 'VerificationCodesController@store')
            ->name('api. verificationCodes.store');
    });
});

• 测试

php artisan serve

curl -X POST localhost:8000/api/verificationCodes | json

{
  "send-sms": "code: 4762"
}

# 1分钟内
curl -X POST localhost:8000/api/verificationCodes | json

{
  "message": "You have exceeded your rate limit.",
  "status_code": 429,
  "debug": {
    "line": 67,
    "file": "/Users/kevin/Workspace/laravel-tutorial/security-rate-limiting/vendor/dingo/api/src/Http/Middleware/RateLimit.php",
    "class": "Dingo\\Api\\Exception\\RateLimitExceededException",
    "trace": [
      "#0 /Users/kevin/Workspace/laravel-tutorial/security-rate-limiting/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(149): Dingo\\Api\\Http\\Middleware\\RateLimit->handle(Object(Dingo\\Api\\Http\\Request), Object(Closure))",
      # 这里省略了异常栈详情
    ]
  }
}

# 1分钟后
curl -X POST localhost:8000/api/verificationCodes | json

{
  "send-sms": "code: 4762"
}

HTTP

curl -X POST -I localhost:8000/api/verificationCodes

HTTP/1.0 200 OK
Host: localhost:8000
Date: Tue, 10 Apr 2018 07:51:05 +0000
Connection: close
X-Powered-By: PHP/7.1.15
Cache-Control: private, must-revalidate
Date: Tue, 10 Apr 2018 07:51:05 GMT
Content-Type: application/json
X-RateLimit-Limit: 1
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1523346725
ETag: "195f575b39c5943c3e42ce6c5c8c4f316418886b"

# 1分钟内
curl -X POST -I localhost:8000/api/verificationCodes

HTTP/1.0 429 Too Many Requests
Host: localhost:8000
Date: Tue, 10 Apr 2018 07:51:21 +0000
Connection: close
X-Powered-By: PHP/7.1.15
X-RateLimit-Limit: 1
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1523346725
Retry-After: 44
Cache-Control: no-cache, private
Date: Tue, 10 Apr 2018 07:51:21 GMT
Content-Type: application/json

# 1分钟后
curl -X POST -I localhost:8000/api/verificationCodes

HTTP/1.0 200 OK
Host: localhost:8000
Date: Tue, 10 Apr 2018 07:52:12 +0000
Connection: close
X-Powered-By: PHP/7.1.15
Cache-Control: private, must-revalidate
Date: Tue, 10 Apr 2018 07:52:12 GMT
Content-Type: application/json
X-RateLimit-Limit: 1
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1523346792
ETag: "195f575b39c5943c3e42ce6c5c8c4f316418886b"

参考

• 控制器

• 限流 (Rate Limiting)