nginx ip blacklist dynamic ban method-Nginx-php.cn

Home

Operation and Maintenance

Nginx

nginx ip blacklist dynamic ban method

王林

May 17, 2023 pm 05:58 PM

nginx ip

1.方案

黑名单持久化到mysql （常见的方案是redis，但不利于控制，如：不同的ip设置不同的有效期、ip的crud、统计等等）；

通过lua-nginx-module，在nginx中开辟一块内存（lua_shared_dict），lua将黑名单定期从mysql全量刷新至lua_shared_dict；

所有请求，都要到与lua_shared_dict中的ip check一下。

2.安装

2.1 安装luajit

cd luajit-2.0.5
make
make install prefix=/usr/local/luajit

Copy after login

2.2.安装nginx时，将lua模块编译进去

export luajit_lib=/usr/local/luajit/lib
export luajit_inc=/usr/local/luajit/include/luajit-2.1
 
./configure --prefix=/nginx \
--with-ld-opt="-wl,-rpath,/usr/local/luajit/lib" \
--add-module=/opt/ngx_devel_kit-0.3.1rc1 \
--add-module=/opt/lua-nginx-module-0.10.14rc3
 
make -j2
make install
ln -s /nginx/sbin/nginx /usr/sbin/nginx

Copy after login

3.配置

3.1 nginx配置

http {
  server_tokens off;
  lua_package_path "/usr/local/lib/lua/?.lua;;";
  lua_shared_dict ip_blacklist 4m;
}
 
server {
  set $real_ip $remote_addr;
  if ( $http_x_forwarded_for ~ "^(\d+\.\d+\.\d+\.\d+)" ) {
    set $real_ip $1;
  }
 
  # 管理信息，访问该url可以查看nginx中的ip黑名单信息
  location /get-ipblacklist-info {
    access_by_lua_file conf/lua/get_ipblacklist_info.lua;
  }
 
  # 同步url，通过定时任务调用该url,实现ip黑名单从mysql到nginx的定时刷新
  location /sync-ipblacklist {
   access_by_lua_file conf/lua/sync_ipblacklist.lua;
  }
 
  # 生产域名配置，所有需要ip黑名单控制的location，都要包含以下语句
  location / {
   access_by_lua_file conf/lua/check_realip.lua;
  }
 
}

Copy after login

nginx服务器配置以下crrontab

* * * * * /usr/bin/curl -o /dev/null -s http://127.0.0.1/sync-ipblacklist > /dev/null 2>&1

Copy after login

3.2 lua脚本

sync_ipblacklist.lua

local mysql_host = "ip of mysql server"
local mysql_port = 3306
local database = "dbname"
local username = "user"
local password = "password"
 
-- update ip_blacklist from mysql once every cache_ttl seconds
local cache_ttl  = 1
local mysql_connection_timeout = 1000
 
local client_ip  = ngx.var.real_ip
local ip_blacklist  = ngx.shared.ip_blacklist
local last_update_time = ip_blacklist:get("last_update_time");
 
if last_update_time == nil or last_update_time < ( ngx.now() - cache_ttl ) then
 
 local mysql = require "resty.mysql";
 local red = mysql:new();
 
 red:set_timeout(mysql_connect_timeout);
 
 local ok, err, errcode, sqlstate = red:connect{
     host = mysql_host,
     port = mysql_port,
     database = database,
     user = username,
     password = password,
     charset = "utf8",
     max_packet_size = 1024 * 1024,
    }
 if not ok then
 ngx.log(ngx.err, "mysql connection error while retrieving ip_blacklist: " .. err);
 else
 new_ip_blacklist, err, errcode, sqlstate = red:query("select ip_addr from ip_blacklist where status = 0 order by create_time desc limit 10000", 100)
 if not new_ip_blacklist then
  ngx.log(ngx.err, "bad result. errcode: " .. errcode .. " sqlstate: " .. sqlstate .. " err: " .. err);
  return
 end
 
 ip_blacklist:flush_all();
 for k1, v1 in pairs(new_ip_blacklist) do
  for k2, v2 in pairs(v1) do
  ip_blacklist:set(v2,true);
  end
 end
 
 ip_blacklist:set("last_update_time", ngx.now());
 end
end
 
ngx.say("sync successful");

Copy after login

get_ipblacklist_info.lua

-- 调用url查看黑名单信息
-- 1万ip消耗不到1.5m ngx.shared内存
-- 获取所有key会堵塞别的正常请求对ngx.shared内存的访问，因此只能取少数key展示
require "resty.core.shdict"
ngx.say("total space: " .. ngx.shared.ip_blacklist:capacity() .. "<br/>");
ngx.say("free space: " .. ngx.shared.ip_blacklist:free_space() .. "<br/>");
ngx.say("last update time: " .. os.date("%y%m%d_%h:%m:%s",ngx.shared.ip_blacklist:get("last_update_time")) .. "<br/>");
ngx.say("first 100 keys: <br/>");
ngx.say("--------------------------<br/>");
ip_blacklist = ngx.shared.ip_blacklist:get_keys(100);
for key, value in pairs(ip_blacklist) do
 ngx.say(key .. ": " .. value .. "<br/>");
end

Copy after login

check_realip.lua

if ngx.shared.ip_blacklist:get(ngx.var.real_ip) then
 return ngx.exit(ngx.http_forbidden);
end

Copy after login

3.3 数据库设计

create table `ip_blacklist` (
 `id` int(11) not null auto_increment,
 `ip_addr` varchar(15) collate utf8mb4_bin default null,
 `status` int(11) default &#39;0&#39; comment &#39;0: valid 有效, 1: invalid 失效&#39;,
 `effective_hour` decimal(11,2) default &#39;24&#39; comment &#39;有效期，单位：小时&#39;,
 `ip_source` varchar(255) collate utf8mb4_bin default null comment &#39;黑名单来源&#39;,
 `create_time` datetime default current_timestamp,
 `modify_time` datetime default current_timestamp on update current_timestamp,
 `remark` varchar(255) collate utf8mb4_bin default null comment &#39;备注&#39;,
 primary key (`id`)
) engine=innodb default charset=utf8mb4 collate=utf8mb4_bin;
 
 
create procedure proc_ip_blacklist_status_update()
-- 将过期的ip状态改为失效
begin 
 update ip_blacklist
 set status=1
 where date_add(create_time,interval effective_hour hour) < now();
 commit;
end;
 
 
create event job_ip_blacklist_status_update
on schedule every 1 minute
on completion preserve
enable
do
call proc_ip_blacklist_status_update();

Copy after login

4 crud

黑名单产生有手工的方式，也有自动的方式，或者两者兼有。

自动的方式有通过python分析elk日志，将恶意ip自动写入mysql，这是个大话题，这里不涉及。

手工的方式可以人肉查看elk请求日志，发现恶意ip，手工填入mysql，这里推荐一个开源的crud工具，用户体验很nice（比直接navicat好多了），当然也可以自己写……

项目的强大之处在于，所有表都帮你生成菜单，然后这些表的crud就直接用了。

具体操作见官方说明，就不赘述了。

nginx ip黑名单动态封禁的方法

The above is the detailed content of nginx ip blacklist dynamic ban method. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Assassin's Creed Shadows: Seashell Riddle Solution

4 weeks ago By DDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks ago By DDD

Where to find the Crane Control Keycard in Atomfall

4 weeks ago By DDD

Roblox: Dead Rails - How To Complete Every Challenge

1 months ago By DDD

Atomfall guide: item locations, quest guides, and tips

1 months ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7709

Java Tutorial

1640

CakePHP Tutorial

1394

Laravel Tutorial

1288

PHP Tutorial

1232

Related knowledge

How to check the name of the docker container Apr 15, 2025 pm 12:21 PM

You can query the Docker container name by following the steps: List all containers (docker ps). Filter the container list (using the grep command). Gets the container name (located in the "NAMES" column).

How to check nginx version Apr 14, 2025 am 11:57 AM

The methods that can query the Nginx version are: use the nginx -v command; view the version directive in the nginx.conf file; open the Nginx error page and view the page title.

How to configure cloud server domain name in nginx Apr 14, 2025 pm 12:18 PM

How to configure an Nginx domain name on a cloud server: Create an A record pointing to the public IP address of the cloud server. Add virtual host blocks in the Nginx configuration file, specifying the listening port, domain name, and website root directory. Restart Nginx to apply the changes. Access the domain name test configuration. Other notes: Install the SSL certificate to enable HTTPS, ensure that the firewall allows port 80 traffic, and wait for DNS resolution to take effect.

How to configure nginx in Windows Apr 14, 2025 pm 12:57 PM

How to configure Nginx in Windows? Install Nginx and create a virtual host configuration. Modify the main configuration file and include the virtual host configuration. Start or reload Nginx. Test the configuration and view the website. Selectively enable SSL and configure SSL certificates. Selectively set the firewall to allow port 80 and 443 traffic.

How to check whether nginx is started Apr 14, 2025 pm 01:03 PM

How to confirm whether Nginx is started: 1. Use the command line: systemctl status nginx (Linux/Unix), netstat -ano | findstr 80 (Windows); 2. Check whether port 80 is open; 3. Check the Nginx startup message in the system log; 4. Use third-party tools, such as Nagios, Zabbix, and Icinga.

How to start nginx server Apr 14, 2025 pm 12:27 PM

Starting an Nginx server requires different steps according to different operating systems: Linux/Unix system: Install the Nginx package (for example, using apt-get or yum). Use systemctl to start an Nginx service (for example, sudo systemctl start nginx). Windows system: Download and install Windows binary files. Start Nginx using the nginx.exe executable (for example, nginx.exe -c conf\nginx.conf). No matter which operating system you use, you can access the server IP

How to create containers for docker Apr 15, 2025 pm 12:18 PM

Create a container in Docker: 1. Pull the image: docker pull [mirror name] 2. Create a container: docker run [Options] [mirror name] [Command] 3. Start the container: docker start [Container name]

How to start containers by docker Apr 15, 2025 pm 12:27 PM

Docker container startup steps: Pull the container image: Run "docker pull [mirror name]". Create a container: Use "docker create [options] [mirror name] [commands and parameters]". Start the container: Execute "docker start [Container name or ID]". Check container status: Verify that the container is running with "docker ps".

See all articles