服务端速率限制与分级惩罚策略(IP/用户/租户)最佳实践概述对不同主体实施分层限流与分级惩罚,可在复杂流量下保持服务稳定与公平使用。多维度滑动窗口class SlidingWindow {
private hits = new Map<string, number[]>()
constructor(private windowMs: number, private max: number) {}
allow(key: string): boolean {
const now = Date.now()
const arr = (this.hits.get(key) || []).filter(t => now - t < this.windowMs)
if (arr.length >= this.max) return false
arr.push(now)
this.hits.set(key, arr)
return true
}
}
type Subject = { ip: string; userId?: string; tenantId?: string }
分级惩罚与封禁class PenaltyManager {
private penalties = new Map<string, { level: number; until: number }>()
escalate(key: string) {
const cur = this.penalties.get(key) || { level: 0, until: 0 }
cur.level = Math.min(3, cur.level + 1)
cur.until = Date.now() + [0, 30_000, 5 * 60_000, 60 * 60_000][cur.level]
this.penalties.set(key, cur)
}
blocked(key: string): boolean { const p = this.penalties.get(key); return !!p && Date.now() < p.until }
}
组合策略class RateGuard {
ipWin = new SlidingWindow(10_000, 100)
userWin = new SlidingWindow(10_000, 50)
tenantWin = new SlidingWindow(10_000, 500)
penalty = new PenaltyManager()
check(sub: Subject): { allowed: boolean; reason?: string } {
const keys = [sub.ip, `u:${sub.userId || ''}`, `t:${sub.tenantId || ''}`]
for (const k of keys) if (this.penalty.blocked(k)) return { allowed: false, reason: 'penalty_block' }
const ok = this.ipWin.allow(sub.ip) && this.userWin.allow(`u:${sub.userId || ''}`) && this.tenantWin.allow(`t:${sub.tenantId || ''}`)
if (!ok) { keys.forEach(k => this.penalty.escalate(k)); return { allowed: false, reason: 'rate_limited' } }
return { allowed: true }
}
}
运维要点按主体维度配置窗口与配额,记录拒绝率与惩罚层级分布对高风险IP实施更严格窗口与封禁策略为认证用户与租户提供更细粒度配额与豁免渠道通过分层限流与分级惩罚,可在复杂流量环境中实现稳定与公平的服务端治理。
发表评论 取消回复