Laravel is framework php for web app. In 2022, 1,547,319 websites that are Laravel Customers. We know of 730,966 live websites using Laravel and an additional 816,353 sites that used Laravel applicable. Laravel is not high performance framework but it's one of the most popular web frameworks in the world. Laravel has the advantage of creating fast, full-featured code, which is a great source of keywords for web developers.
There's tons of laravel documentation all over the place, it floods every web page and every discussion. However, I did
not find any document that is deep and extensive enough, the knowledge system of laravel. As you know, from a technical
perspective, when you read the doc and use it, you partially understand it. But you really get insight when you read the
source code, understand how it's implemented, how it's designed. The source code will provide and reflect the software
as it is, pure and straightforward. This is the most in-depth and intuitive approach to opensource. Of course it is not
easy and takes a lot of resources. When you understand the source code, you will learn a lot from that opensource, you
will debug problems very quickly without finding answers or unclear. You have a systematic thinking about the product,
able to solve and fix very difficult bugs. This document provides a general analysis of the theory, the keyword laravel
implementation, it is the most general, it is true for web technology in general, regardless of the language. I will try
to analyze the laravel source code on the mind of web technology these days. I believe it is a useful reference for web
developers, as well as devops who want an overview of the web app system.
The issues I'm covering in this document are not just for Laravel but for web app technology in general. All issues will be presented from theory to core source code and to practice.
This document is for anyone passionate about web app, passionate about php, laravel for all level. If you don't like php, approach it by keyword, but if you love php, enjoy and relax with it. Hope it brings value and helps someone improves level, or simply solve your problem.
All copyrights of the material belong to me. You can read, use, share for many people but no commercial rights or anything related business about it. I want to share it for free to the community
gmail: [email protected]
(If you want to go fast, use the quick view menu, it has highlight meny. But I recommend learning in order, the components I talk about are logically related to each other. Read in order you will have a system. more clear. However, how you read is up to your preference. Here we go)
- How To Understand Big Project
- When save file in public folder
- How to dissect Laravel source
- Dissect session in laravel
- Best practice Xss
- Why are there many type token, accessToken, refreshToken, What is their main purpose?
- Where save token in browser, what is best practice?
- How do ajax,... work with Http only cookie?
- Why framework frontend often use local store for save token?
- Preview type Http server
- Why are there so many webserver models?
- Why is the webServer model constantly changing?
- What is trending in Http server?
- Type http server in Php and Laravel
- Preview contracts in http modules
- Dissect http and routing modules
- Best practice when use driver cache?
- Contracts cache
- Dissect cache
- What is muxtex lock?
- How is mutex lock implement for many driver in Laravel?
- Dissect mutex lock in redis
- How to algorithm of redis implement mutex lock?
- What is distribute lock?
- What is redlock?
- How to Laravel implement theory of Redis?
- What is local in memory?
- What is type of local in memory?
- When is use local in memory?
- Implement local in memory with Laravel?
- Advantages and disadvantages of local in memory with Laravel?
- What is algorithm rate limit?
- Dissect Rate Limit Laravel
- What is ddos?
- Why do not use Rate limit laravel for attack ddos?
- Best practice prevent attack ddos
- Best practice in flash sales?
- To do
A large project always has a lot of lines of code, with laravel 7.X being around 400 000 lines of code. So how do you approach it? My approach is top down thinking, approach from layout code ==> autoload ==> module ==> detail. One question is do you need to know the entire line of code of an opensource to understand it? The answer is no. Any module or source has main components and options. The main component represents the main feature of the project. You only need to understand the whole main component, most of the options are based on the main component. That's how I and this document approach the Laravel source. I know that's the same way most programmers choose to approach a very large project.
Laravel source code has many modules, many interfaces and many design patterns. Before reviewing the source, the first
thing you need to do is determine which interface x is used by and for which class it is binding, like with Facade.
There are many ways to detect this, view file autoload, use ide_helper support loading endpoint,...
the way me used in this doc is using file : https://github.com/laravel/framework/blob/7.x/src/Illuminate/Foundation/Application.php#L1234. It gives you all information about alias mapping interface and binding class when starting laravel app. That's the bare minimum of information you need to dissect Laravel.
Simply, rate limit is a counter that helps to check the limit of a resource (request, query, ...). For each request to count, it increments the counter by 1 and checks with limited config.
print https://github.com/laravel/framework/blob/9.x/src/Illuminate/Cache/RateLimiter.php:
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @param int|string $maxAttempts
* @param float|int $decayMinutes
* @param string $prefix
* @return \Symfony\Component\HttpFoundation\Response
*
* @throws \Illuminate\Http\Exceptions\ThrottleRequestsException
*/
public function handle($request, Closure $next, $maxAttempts = 60, $decayMinutes = 1, $prefix = '')
{
$key = $prefix.$this->resolveRequestSignature($request);
$maxAttempts = $this->resolveMaxAttempts($request, $maxAttempts);
if ($this->limiter->tooManyAttempts($key, $maxAttempts)) {
throw $this->buildException($key, $maxAttempts);
}
$this->limiter->hit($key, $decayMinutes * 60);
$response = $next($request);
return $this->addHeaders(
$response, $maxAttempts,
$this->calculateRemainingAttempts($key, $maxAttempts)
);
}
/**
* Resolve the number of attempts if the user is authenticated or not.
*
* @param \Illuminate\Http\Request $request
* @param int|string $maxAttempts
* @return int
*/
protected function resolveMaxAttempts($request, $maxAttempts)
{
if (Str::contains($maxAttempts, '|')) {
$maxAttempts = explode('|', $maxAttempts, 2)[$request->user() ? ten];
}
if (! is_numeric($maxAttempts) && $request->user()) {
$maxAttempts = $request->user()->{$maxAttempts};
}
return (int) $maxAttempts;
}
/**
* Determine if the given key has been "accessed" too many times.
*
* @param string $key
* @param int $maxAttempts
* @return bool
*/
public function tooManyAttempts($key, $maxAttempts)
{
if ($this->attempts($key) >= $maxAttempts) {
if ($this->cache->has($key.':timer')) {
return true;
}
$this->resetAttempts($key);
}
return false;
}
/**
* Increment the counter for a given key for a given decay time.
*
* @param string $key
* @param int $decaySeconds
* @return int
*/
public function hit($key, $decaySeconds = 60)
{
$this->cache->add(
$key.':timer', $this->availableAt($decaySeconds), $decaySeconds
);
$added = $this->cache->add($key, 0, $decaySeconds);
$hits = (int) $this->cache->increment($key);
if (! $added && $hits == 1) {
$this->cache->put($key, 1, $decaySeconds);
}
return $hits;
}
For routers that implement a middeware rate limit, Laravel will implement a handle rate. RateLimiter is the main class, $this->cache is the corresponding drive cache passed by Laravel according to config. For each request, Laravel initializes the corresponding limit variable if it does not exist, and increments the counter variable by 1:
$added = $this->cache->add($key, 0, $decaySeconds);
Laravel stores the timer interval as a flag marking the cache overate for the correct time interval. Laravel uses cache to control this, if this flag is still there then that rateLimit is still valid, this flag is cleared due to invalidate cache then rateLimit will also be reset:
$this->cache->add(
$key.':timer', $this->availableAt($decaySeconds), $decaySeconds
);
Laravel update again on the first increment of value:
if (! $added && $hits == 1) {
$this->cache->put($key, 1, $decaySeconds);
}
If the over limit condition is satisfied within the configed period, Laravel will catch it:
public function tooManyAttempts($key, $maxAttempts)
{
if ($this->attempts($key) >= $maxAttempts) {
if ($this->cache->has($key.':timer')) {
return true;
}
$this->resetAttempts($key);
}
return false;
}
Laravel throws ex and blocks the request stream:
if ($this->limiter->tooManyAttempts($key, $maxAttempts)) {
throw $this->buildException($key, $maxAttempts);
}
Everything ends when the config time is over, the variables reset to the original process và tiếp tục chạy từ start point.
Ddos is a form of denial of service attack. Attackers often use large amounts of resources, proxies and technologies that constantly change ip requests. It simply creates a very large request threshold that overloads the system's responsiveness causing the system to lose control and down.
Let's analyze some Laravel rate limit features. Activity flow goes to the server, goes to the cache, updates the resulting config. With this feature, when being attacked by ddos, the attacker's requests still go into the server, go to the cache, handle and then be returned. This is very bad with ddos. Well, very quickly, bandwith or service backend or cache service, or all three, or extra services will be overloaded. Which one goes first depends on your project's context, but the project will definitely suffer. Remember one thing, never use larave ratelimit attack ddo. This is true for all technologies and languages, not just php. Remember not to let things go too far. Good luck.
I have dissect the most important and essential modules of Laravel. It is the module that any frame has required. But
right now, I don't have enough time and resources to maintain this project. If you have a need to contribute or want me
to dissect any more modules, please contribute or suggest me. When I have more time, I will come back to it.