Next.js 15 Edge Middleware 速率限制与机器人防护实践 Token Bucket-User-Agent-挑战

概览Edge Middleware 可在请求抵达应用前进行速率限制与机器人拦截。通过简化的 Token Bucket 与 UA/路径挑战策略，降低恶意访问与爬虫的影响，同时保持合法用户体验。middleware.tsimport { NextResponse } from 'next/server' import type { NextRequest } from 'next/server' const buckets = new Map<string, { tokens: number; ts: number }>() const RATE = 60 const WINDOW = 60_000 function allow(ip: string) { const now = Date.now() const b = buckets.get(ip) || { tokens: RATE, ts: now } const refill = Math.floor((now - b.ts) / WINDOW) * RATE b.tokens = Math.min(RATE, b.tokens + Math.max(0, refill)) b.ts = now if (b.tokens <= 0) return false b.tokens -= 1 buckets.set(ip, b) return true } function isBot(req: NextRequest) { const ua = req.headers.get('user-agent') || '' if (/bot|crawler|spider|crawling/i.test(ua)) return true const p = req.nextUrl.pathname if (p.startsWith('/admin') || p.endsWith('.map')) return true return false } export function middleware(req: NextRequest) { const ip = req.ip ?? req.headers.get('x-forwarded-for') ?? 'unknown' if (isBot(req)) { return new NextResponse('Forbidden', { status: 403 }) } if (!allow(String(ip))) { return new NextResponse('Too Many Requests', { status: 429 }) } return NextResponse.next() } export const config = { matcher: ['/((?!_next|static|api/health).*)'] } 治理要点在边缘执行降低回源压力；将健康检查与静态资源排除在外。对疑似机器人返回 403，或引导到挑战页面。生产环境使用持久存储（KV/Redis/DO）替代内存 Map，确保分布式一致性。验证与指标浏览器与爬虫：拦截命中率高；正常用户无明显影响Next.js：15.0+；Edge Runtime：稳定QPS 高峰可控；错误率与后端负载降低