flyskype
/
openresty
mirror of https://github.com/openresty/openresty
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
stream-ppv2
1.19.9.x
1.21.4.x
1.25.3.x
cve
ngx-http-redis
v24.2
bump-1.21.4.2
rel
close_fd
1.19.3.x
1.17.8.x
1.15.8.x
nginx-1.13.8
v1.15.8.2
v0.8.54.3
v0.8.54.4
v0.8.54.5
v0.8.54.6
v0.8.54.8
v0.8.54.9
v1.0.10.1
v1.0.10.11
v1.0.10.13
v1.0.10.15
v1.0.10.17
v1.0.10.19
v1.0.10.21
v1.0.10.23
v1.0.10.24
v1.0.10.25
v1.0.10.27
v1.0.10.29
v1.0.10.3
v1.0.10.31
v1.0.10.33
v1.0.10.35
v1.0.10.41
v1.0.10.43
v1.0.10.44
v1.0.10.45
v1.0.10.47
v1.0.10.48
v1.0.10.5
v1.0.10.7
v1.0.10.9
v1.0.11.11
v1.0.11.15
v1.0.11.17
v1.0.11.19
v1.0.11.21
v1.0.11.23
v1.0.11.25
v1.0.11.27
v1.0.11.28
v1.0.11.3
v1.0.11.7
v1.0.11.9
v1.0.15.1
v1.0.15.10
v1.0.15.11
v1.0.15.3
v1.0.15.5
v1.0.15.7
v1.0.15.9
v1.0.4.0
v1.0.4.1
v1.0.4.2
v1.0.5.0
v1.0.5.1
v1.0.6.22
v1.0.6.3
v1.0.6.5
v1.0.8.1
v1.0.8.11
v1.0.8.13
v1.0.8.15
v1.0.8.17
v1.0.8.19
v1.0.8.21
v1.0.8.26
v1.0.8.3
v1.0.8.5
v1.0.8.7
v1.0.8.9
v1.0.9.1
v1.0.9.10
v1.0.9.3
v1.0.9.5
v1.0.9.7
v1.0.9.9
v1.1.12.3
v1.1.12.4
v1.1.12.5
v1.1.13.1
v1.11.2.1
v1.11.2.2
v1.11.2.3
v1.11.2.4
v1.11.2.5
v1.13.6.1
v1.13.6.2
v1.15.8.1
v1.15.8.1rc1
v1.15.8.1rc2
v1.15.8.3
v1.17.8.1
v1.17.8.1rc1
v1.17.8.2
v1.19.3.1
v1.19.3.1rc0
v1.19.3.1rc1
v1.19.3.2
v1.19.9.1
v1.19.9.1rc1
v1.19.9.2
v1.2.1.1
v1.2.1.11
v1.2.1.13
v1.2.1.14
v1.2.1.3
v1.2.1.5
v1.2.1.7
v1.2.1.9
v1.2.3.1
v1.2.3.3
v1.2.3.5
v1.2.3.7
v1.2.3.8
v1.2.4.1
v1.2.4.11
v1.2.4.13
v1.2.4.14
v1.2.4.3
v1.2.4.5
v1.2.4.7
v1.2.4.9
v1.2.6.1
v1.2.6.3
v1.2.6.5
v1.2.6.6
v1.2.7.1
v1.2.7.3
v1.2.7.5
v1.2.7.6
v1.2.7.8
v1.2.8.1
v1.2.8.3
v1.2.8.5
v1.2.8.6
v1.21.4.1
v1.21.4.1rc1
v1.21.4.1rc2
v1.21.4.1rc3
v1.21.4.2
v1.21.4.2rc1
v1.21.4.3
v1.21.4.4
v1.25.3.1
v1.25.3.2
v1.27.1.1
v1.27.1.2
v1.4.1.1
v1.4.1.3
v1.4.2.1
v1.4.2.3
v1.4.2.5
v1.4.2.7
v1.4.2.8
v1.4.2.9
v1.4.3.1
v1.4.3.3
v1.4.3.4
v1.4.3.6
v1.4.3.7
v1.4.3.9
v1.5.11.1
v1.5.12.1
v1.5.8.1
v1.7.0.1
v1.7.10.1
v1.7.10.2
v1.7.2.1
v1.7.4.1
v1.7.7.1
v1.7.7.2
v1.9.15.1
v1.9.3.1
v1.9.3.1rc1
v1.9.3.2
v1.9.7.1
v1.9.7.2
v1.9.7.3
v1.9.7.4
v1.9.7.5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5ca055ea72'
${ noResults }
openresty/samples/ip_blacklist/ip_blacklist.conf.lua

124 lines
4.8 KiB
Lua
Raw Blame History

--[[
¡ ¡ ¡ ALL GLORY TO GLORIA ! ! !
requires openresty bundle http://openresty.org/
or ngx-lua module http://wiki.nginx.org/HttpLuaModule#Installation
and lua-resty-redis from: https://github.com/agentzh/lua-resty-redis
Replace the distribution nginx with local installation of openresty
service nginx stop
mv /usr/local/openresty/nginx/conf /usr/local/openresty/nginx/conf_install
ln -s /etc/nginx /usr/local/openresty/nginx/conf
mv /usr/sbin/nginx /usr/sbin/nginx-back
ln -s /usr/local/openresty/nginx/sbin/nginx /usr/sbin/nginx
mkdir /etc/nginx/lua
cp ip_blacklist.conf.lua /etc/nginx/lua/
cp ip_blacklist.lua /etc/nginx/lua/
Configure the NGINX
nginx.conf
...
http {
...
# you do not need the following line if you are using the ngx_openresty bundle:
#lua_package_path "/path/to/lua-resty-redis/lib/?.lua;;";
# Инициализировать ip_blacklist
init_by_lua_file '/etc/nginx/lua/ip_blacklist.conf.lua';
...
location <...> {
access_by_lua_file '/etc/nginx/lua/ip_blacklist.lua';
proxy_pass ...
...
}
}
--~ package.path = '/usr/local/openresty/lualib/?.lua;/usr/local/openresty/lualib/?/init.lua;' .. package.path -- .. ';'
--~ package.cpath = '/usr/local/openresty/lualib/?.so;' .. package.cpath --??
--]]
ip_blacklist = {-- global config
redis_host = "127.0.0.1",
redis_port = 6379,
-- connection timeout for redis in ms. don't set this too high!
redis_timeout = 200,
mode='count000', -- count - только посчет (без занесения в черный список и подзапроса на кэш контента) | forbidden - не смотреть в редис, банить 403 как авито | nocapture - при бане отдавать только кэш
prefix = "ip_blacklist", -- для ключей редиса
-- отдельные записи счетчиков по временным интервалам, IP и URI (без параматеров)
time_range = 3, -- разбивает временную линию на отрезки секунд и использует для ключа
req_limit = 20, -- столько раз может обратиться IP в текущем временном отрезке
-- отдельная запись для удержания в ловушке см. ниже функцию key_lock
time_lock = 60, -- секунд держать в ловушке, если продолжает дергаться - пролонгировать expire этого ключа
-- просмотр лога ловушки lrange ip_blacklist 0 -1
["debug"]=1,
redis = require "resty.redis",
--=================== FUNC =============================================
join = function (list)
local t = {}
for _,v in pairs(list) do
t[#t+1] = tostring(v)
end
return table.concat(t,":")
end,
---------------------------------------------------------------------------------------------------------------------------
redis_end = function (redis)
--[[
syntax: ok, err = red:set_keepalive(max_idle_timeout, pool_size)
Puts the current Redis connection immediately into the ngx_lua cosocket connection pool.
You can specify the max idle timeout (in ms) when the connection is in the pool and the maximal size of the pool every nginx worker process.
In case of success, returns 1. In case of errors, returns nil with a string describing the error.
Only call this method in the place you would have called the close method instead. Calling this method will immediately turn the current redis object into the closed state. Any subsequent operations other than connect() on the current objet will return the closed error.
]]
--~ redis:set_keepalive(10000, 2)
local ok, err = redis:set_keepalive(10000, 20)
if not ok then
ngx.log(ngx.ERR, string.format("ip_blacklist: failed to set set_keepalive: [%s]", err))
--~ return
end
end,
-------------------------------------------------------------------------------------------------------------------
--[[
deny_resp = function () -- если не будет в кэше?
ngx.status = ngx.HTTP_OK
ngx.header.content_type = 'text/html; charset=UTF-8'
local body =[[
<!DOCTYPE html>
<html>
<head>
<meta charset=utf-8>
<title>(Это title)</title>
</head>
<body>
<header>
<hgroup>
<h1>Заголовок "h1" из hgroup</h1>
</hgroup>
</header>
<nav>
<menu>
<li><a href="link1.html">Первая ссылка из блока "nav"</a></li>
</menu>
</nav>
</body>
</html>
]]
ngx.header.content_length = string.len(body)
ngx.say(body)
-- to cause quit the whole request rather than the current phase handler
ip_blacklist.redis_end(ip_blacklist.redis)
return ngx.exit(ngx.HTTP_OK)
end
--]]
-- end configuration
}
--~ ngx.log(ngx.INFO, "ip_blacklist: success configure table [ip_blacklist]") --..ip_blacklist
Reference in New Issue View Git Blame Copy Permalink