概览Edge Middleware 可在请求抵达应用前进行速率限制与机器人拦截。通过简化的 Token Bucket 与 UA/路径挑战策略,降低恶意访问与爬虫的影响,同时保持合法用户体验。middleware.tsimport { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'
const buckets = new Map<string, { tokens: number; ts: number }>()
const RATE = 60
const WINDOW = 60_000
function allow(ip: string) {
const now = Date.now()
const b = buckets.get(ip) || { tokens: RATE, ts: now }
const refill = Math.floor((now - b.ts) / WINDOW) * RATE
b.tokens = Math.min(RATE, b.tokens + Math.max(0, refill))
b.ts = now
if (b.tokens <= 0) return false
b.tokens -= 1
buckets.set(ip, b)
return true
}
function isBot(req: NextRequest) {
const ua = req.headers.get('user-agent') || ''
if (/bot|crawler|spider|crawling/i.test(ua)) return true
const p = req.nextUrl.pathname
if (p.startsWith('/admin') || p.endsWith('.map')) return true
return false
}
export function middleware(req: NextRequest) {
const ip = req.ip ?? req.headers.get('x-forwarded-for') ?? 'unknown'
if (isBot(req)) {
return new NextResponse('Forbidden', { status: 403 })
}
if (!allow(String(ip))) {
return new NextResponse('Too Many Requests', { status: 429 })
}
return NextResponse.next()
}
export const config = { matcher: ['/((?!_next|static|api/health).*)'] }
治理要点在边缘执行降低回源压力;将健康检查与静态资源排除在外。对疑似机器人返回 403,或引导到挑战页面。生产环境使用持久存储(KV/Redis/DO)替代内存 Map,确保分布式一致性。验证与指标浏览器与爬虫:拦截命中率高;正常用户无明显影响Next.js:15.0+;Edge Runtime:稳定QPS 高峰可控;错误率与后端负载降低
发表评论 取消回复