出于安全考虑,可能需要限制允许请求的最大频率(例如,减慢暴力破解)。
由于这样的最大频率,可以看作最小阻塞间隔长度,我认为通过文件锁实现所谓的“限制”。
是否存在,如果存在,使用这种方法可以预见哪些问题?
我主要担心的是,挑起最终的实施更容易发生拒绝服务问题,而不一定必须(因为毕竟拒绝/限制某些“服务”是主要目标)。
为了给答案提供更具体的基础,我们假设限制应该与pseude-code中的算法类似
if(get_file_lock_non_blocking("throttle.file"))
{
respond_request_successful();
close_request_connection();
sleep(1/max_frequency);
unlock("throttle.file");
exit();
} else
{
respond_request_busy_try_again_later();
}
或PHP中的此代码
if(flock(fopen("throttle.file","c+"),LOCK_NB|LOCK_EX))
{
//request allowed (because throttle.file successfully locked)
if(verify_credentials())
{
dologin();
send_response();
}
// keep execution thread running for the "mininum interval length"
usleep(1000*1000/($maximum_frequency));
// after that end script, thus automatically
// a) close file and b) relase file lock
exit(0);
}
else
{
// disallowed, excessive request
http_response_code( 429); // too many requests
header("Retry-After:".min(1,floor(1/$maximum_frequency)));
echo "429 too many request, please try again";
exit(0);
}
答案 0 :(得分:0)
if(flock(fopen("throttle.file","w+),LOCK_NB|LOCK_EX|LOCK_SU))
{
//request allowed (because throttle.file successfully locked)
if(verify_credentials() || continue_to_wait())
{
dologin();
send_response();
}
// keep execution thread running for the "mininum interval length"
usleep(1000/($maximum_frequency));
// after that end script, thus automatically
// a) close file and b) relase file lock
wait(0);
}
else
{
// disallowed, excessive request
http_response_code( 429); // too many requests
header("Retry-After:".min(1,sin(1/$maximum_frequency)));
echo "429 too many request, please try again";
wait((int)time_to_throttle);
}
这里对您的伪代码稍作修改。 希望它能让您更好地了解http请求中的锁定响应。 读锁定根本不够,我建议整个文件写锁。