商务合作加微信:2230304070
学习与交流:PHP技术交流微信群
JetBrains 激活码 每月更新 免费提取
https://web.52shizhan.cn
真实案例:某电商平台促销日,因未做限流导致:
限流核心目标:
// 保护系统三要素
$mustProtect = [
'数据库连接池',
'CPU/内存资源',
'第三方服务配额'
];
classFixedWindowLimiter{
private $lastReset;
private $count = 0;
public $limit = 100; // 窗口内最大请求数
public $interval = 60; // 时间窗口(秒)
publicfunction__construct(){
$this->lastReset = time();
}
publicfunctionallow(): bool{
$now = time();
// 检查是否需要重置窗口
if ($now > $this->lastReset + $this->interval) {
$this->count = 0;
$this->lastReset = $now;
}
// 判断是否超过限制
if ($this->count < $this->limit) {
$this->count++;
returntrue;
}
returnfalse;
}
}
// 使用示例:每分钟最多100次请求
$limiter = new FixedWindowLimiter();
if (!$limiter->allow()) {
http_response_code(429); // Too Many Requests
die('请求过于频繁');
}
致命缺陷:
classSlidingWindowLimiter{
private $timestamps = []; // 存储请求时间戳
public $limit = 100; // 窗口内最大请求数
public $window = 60; // 滑动窗口(秒)
publicfunctionallow(): bool{
$now = time();
// 移除过期请求(窗口外的请求)
$this->timestamps = array_filter(
$this->timestamps,
fn($ts) => $ts > $now - $this->window
);
// 检查当前窗口请求数
if (count($this->timestamps) < $this->limit) {
$this->timestamps[] = $now;
returntrue;
}
returnfalse;
}
}
优势:精确控制任意时间段内的请求量
classLeakyBucketLimiter{
private $lastTime;
private $water = 0; // 当前水量(积压请求数)
public $capacity = 50; // 桶容量(最大积压量)
public $rate = 10; // 漏水速率(请求/秒)
publicfunction__construct(){
$this->lastTime = time();
}
publicfunctionallow(): bool{
$now = time();
// 计算漏水量: (当前时间-上次时间) * 漏水速率
$leak = ($now - $this->lastTime) * $this->rate;
$this->water = max(0, $this->water - $leak);
$this->lastTime = $now;
// 检查桶是否已满
if ($this->water < $this->capacity) {
$this->water++;
returntrue;
}
returnfalse;
}
}
适用场景:需要恒定速率处理请求(如短信发送API)
classTokenBucketLimiter{
private $lastTime;
private $tokens;
public $capacity = 100; // 桶容量
public $rate = 20; // 令牌生成速率(个/秒)
publicfunction__construct(){
$this->lastTime = time();
$this->tokens = $this->capacity; // 初始满桶
}
publicfunctionallow(): bool{
$now = time();
// 计算新增令牌数
$newTokens = ($now - $this->lastTime) * $this->rate;
$this->tokens = min($this->capacity, $this->tokens + $newTokens);
$this->lastTime = $now;
// 检查是否有足够令牌
if ($this->tokens >= 1) {
$this->tokens--;
returntrue;
}
returnfalse;
}
}
核心优势:
classRedisTokenBucket{
private $redis;
private $key;
public $capacity;
public $rate;
publicfunction__construct(
string $key,
int $capacity = 100,
int $rate = 10 // 令牌/秒
){
$this->redis = new Redis();
$this->redis->connect('127.0.0.1');
$this->key = "limiter:$key";
$this->capacity = $capacity;
$this->rate = $rate;
}
publicfunctionallow(): bool{
$now = microtime(true);
// 使用Lua脚本保证原子性
$script = <<<LUA
local key = KEYS[1]
local now = tonumber(ARGV[1])
local capacity = tonumber(ARGV[2])
local rate = tonumber(ARGV[3])
local interval = 1 / rate
-- 获取上次填充时间和令牌数
local data = redis.call('HMGET', key, 'lastTime', 'tokens')
local lastTime = data[1] and tonumber(data[1]) or now
local tokens = data[2] and tonumber(data[2]) or capacity
-- 计算新增令牌
local newTokens = (now - lastTime) * rate
tokens = math.min(capacity, tokens + newTokens)
-- 检查令牌是否足够
if tokens >= 1 then
tokens = tokens - 1
redis.call('HMSET', key, 'lastTime', now, 'tokens', tokens)
redis.call('EXPIRE', key, math.ceil(capacity / rate) * 2)
return true
end
-- 令牌不足
redis.call('HMSET', key, 'lastTime', now, 'tokens', tokens)
returnfalse
LUA;
return$this->redis->eval(
$script,
[$this->key, $now, $this->capacity, $this->rate],
1
);
}
}
// 使用示例:全局订单API限流
$limiter = new RedisTokenBucket('order_api', 500, 50); // 500容量,50令牌/秒
if (!$limiter->allow()) {
header('Retry-After: 1'); // 告诉客户端1秒后重试
die(json_encode(['error' => '请求超限']));
}
关键技术点:

// 全局API限流(保护整个服务)
$globalLimiter = new RedisTokenBucket('global_api', 10000, 500);
// 用户级限流(防止单用户滥用)
$userId = $_SESSION['user_id'] ?? 'guest';
$userLimiter = new RedisTokenBucket("user:$userId", 100, 5); // 单用户5次/秒
if (!$globalLimiter->allow() || !$userLimiter->allow()) {
// 优先保证全局稳定性
log_abuse_request($userId); // 记录异常请求
return fail_response('请求超限');
}
防护效果:
// 方案1:本地缓存+批量同步(降低Redis压力)
$localCounter = 0;
$lastSync = time();
functionfast_allow(): bool{
global $localCounter, $lastSync;
$now = time();
// 每10秒同步一次到Redis
if ($now - $lastSync > 10) {
$redis->incrby('global_count', $localCounter);
$localCounter = 0;
$lastSync = $now;
}
// 本地快速判断
if ($localCounter < 500) { // 本地阈值
$localCounter++;
returntrue;
}
returnfalse;
}
// 方案2:Nginx前置限流(OpenResty + Lua)
location /api {
access_by_lua '
local limiter = require "resty.limit.req"
local lim = limiter.new("my_limit", 100, 10) -- 100次/10秒
local delay, err = lim:incoming(ngx.var.uri)
if not delay then
ngx.exit(429)
end
';
}
# 实时监控限流触发情况
tail -f /var/log/nginx/access.log | grep ' 429 '
header('X-RateLimit-Limit: 100');
header('X-RateLimit-Remaining: 50');
header('Retry-After: 2'); // 客户端重试等待时间
终极箴言:
“没有限流的 API = 敞开大门的金库 —— 迟早被搬空!”
立即行动:composer require bandwidth-throttle/token-bucket

