Go 基于主机地址的http请求速率限制

我使用Go开发了一个HTTP服务器。现在我想实现一个速率限制器，这样我可以检查来自特定IP的HTTP请求是否在1分钟内发送超过10个HTTP请求，我可以将该IP放入一个阻止列表中一段时间，比如（1小时）同时，同一用户在阻塞期间发送请求，我将从HTTP服务器发送429错误响应

我已经为此编写了一个代码，但在这方面我能够阻止IP地址，但在这方面，它解除了所有IP的1小时后的时间。我期待先到先解锁

Package main

import (
    "log"
    "net/http"
    "strings"
    "time"
)

func main() {
    fs := http.FileServer(http.Dir("./html/"))
    http.Handle("/", fs)
    log.Println("Listening..")
    go clearLastRequestsIPs()
    go clearBlockedIPs()
    err := http.ListenAndServe(":8080", middleware(nil))
    if err != nil {
        log.Fatalln(err)
    }
}

// Stores last requests IPs
var lastRequestsIPs []string

// Block IP for 1 hours
var blockedIPs []string

func middleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        ipAddr := strings.Split(r.RemoteAddr, ":")[0]
        if existsBlockedIP(ipAddr) {
            http.Error(w, "", http.StatusTooManyRequests)
            return
        }
        // how many requests the current IP made in last 5 mins
        requestCounter := 0
        for _, ip := range lastRequestsIPs {
            if ip == ipAddr {
                requestCounter++
            }
        }
        if requestCounter >= 1000 {
            blockedIPs = append(blockedIPs, ipAddr)
            http.Error(w, "", http.StatusTooManyRequests)
            return
        }
        lastRequestsIPs = append(lastRequestsIPs, ipAddr)

        if next == nil {
            http.DefaultServeMux.ServeHTTP(w, r)
            return
        }
        next.ServeHTTP(w, r)
    })
}

func existsBlockedIP(ipAddr string) bool {
    for _, ip := range blockedIPs {
        if ip == ipAddr {
            return true
        }
    }
    return false
}

func existsLastRequest(ipAddr string) bool {
    for _, ip := range lastRequestsIPs {
        if ip == ipAddr {
            return true
        }
    }
    return false
}

// Clears lastRequestsIPs array every 1 hrs
func clearLastRequestsIPs() {
    for {
        lastRequestsIPs = []string{}
        time.Sleep(time.Hour * 1)
    }
}

// Clears blockedIPs array every 1 hours
func clearBlockedIPs() {
    for {
        blockedIPs = []string{}
        time.Sleep(time.Hour * 1)
    }
}

---

您可以使用如下中间件：

type Limiter struct {
    ipCount map[string]int
    sync.Mutex
}

var limiter Limiter
func init() {
    limiter.ipCount = make(map[string]int)
}

func limit(next http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    // Get the IP address for the current user.
    ip, _, err := net.SplitHostPort(r.RemoteAddr)
    if err != nil {
      log.Println(err.Error())
      http.Error(w, "Internal Server Error", http.StatusInternalServerError)
      return
    }

    // Get the # of times the visitor has visited in the last 60 seconds
    limiter.Lock()
    count, ok := limiter.ipCount[ip]
    if !ok {
        limiter.ipCount[ip] = 0
    }
    if count > 10 {
      limiter.Unlock()
      http.Error(w, http.StatusText(429), http.StatusTooManyRequests)
      return
    } else {
        limiter.ipCount[ip]++
    }
    time.AfterFunc(time.Second * 60, func() {
        limiter.Lock()
        limiter.ipCount[ip]--
        limiter.Unlock()
    })
    if limiter.ipCount[ip] == 10 {
        // set it to 20 so the decrement timers will only decrease it to
        // 10, and they stay blocked until the next timer resets it to 0
        limiter.ipCount[ip] = 20
        time.AfterFunc(time.Hour, func() {
            limiter.Lock()
            limiter.ipCount[ip] = 0
            limiter.Unlock()
        })
    }
    limiter.Unlock()
    next.ServeHTTP(w, r)
  })
}    

---

使用golang.org/x/time/rate包中的

rate.NewLimiter（）

。

您没有存储IP被阻止或应该被解除阻止的时间。创建由IP和解除阻止时间组成的类型。将新阻止的IP放入该类型的数组（顺便说一句，应该通过互斥锁保护该数组！），每隔几秒钟在该数组上迭代一次，删除过期的阻止IP。这是一种非常幼稚的方法，但应该有效。正确的选择是为每个被阻止的IP设置一个时间计时器，在1h后将其移除。在服务器重新启动的情况下，您可能也希望保留被阻止的IP。此“if limiter.ipCount==10{”处的映射和int错误不匹配