Laravel 访问限制 throttle 中间件

throttle中间件介绍

频率限制经常用在API中，用于限制独立请求者对特定API的请求频率。每个API都会选择一个自己的频率限制时间跨度，GitHub选择的是1小时，Laravel中间件选择的是1分钟。
例如：throttle:60,1，即设置频率限制为每分钟60次，如果一个IP一分钟内超过这个限制，那么服务器就会返回 429 Too Many Attempts.响应。

throttle中间件遇到的问题

在服务器与服务器之间的API请求频率如果也用有这个限制的话，肯定是不行的。所以，我们要有个IP白名单，可以把ThrottleRequests重写。

自定义throttle中间件

php artisan make:middleware ThrottleRequests

public function handle($request, Closure $next, $maxAttempts = 60, $decayMinutes = 1)
    {
        $key = $this->resolveRequestSignature($request);

        if ($this->limiter->tooManyAttempts($key, $maxAttempts, $decayMinutes)) {
            return $this->buildResponse($key, $maxAttempts);
        }

        if (!in_array($request->ip(),config('ip.whitelist'))){//IP可以写在配置文件中，
            $this->limiter->hit($key, $decayMinutes);//先添加key 然后自增长数值记录访问次数
        }

        $response = $next($request);

        return $this->addHeaders(
            $response, $maxAttempts,
            $this->calculateRemainingAttempts($key, $maxAttempts)
        );
    }

创建ip白名单配置文件(config/ip.php)

<?php
return [
    'whitelist' => [
        '192.22.88.66',
    ],
];

修改app/Http/Kernel.php

protected $routeMiddleware = [
        'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        //'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'throttle' => \App\Http\Middleware\ThrottleRequests::class,
    ];

源码解读

入口是vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php中的handle方法。
未完待续。。。

本作品采用《CC 协议》，转载必须注明作者和本文链接