-- a quick LUA access script for nginx to check IP addresses against an-- `ip_

1. -- a quick LUA access script for nginx to check IP addresses against an
2. -- `ip_blacklist` set in Redis, and if a match is found send a HTTP 403.
3. --
4. -- allows for a common blacklist to be shared between a bunch of nginx
5. -- web servers using a remote redis instance. lookups are cached for a
6. -- configurable period of time.
7. --
8. -- block an ip:
9. --   redis-cli SADD ip_blacklist 10.1.1.1
10. -- remove an ip:
11. --   redis-cli SREM ip_blacklist 10.1.1.1
12. --
13. -- also requires lua-resty-redis from:
14. --   https://github.com/agentzh/lua-resty-redis
15. --
16. -- your nginx http context should contain something similar to the
17. -- below: (assumes resty/redis.lua exists in /etc/nginx/lua/)
18. --
19. --   lua_package_path "/etc/nginx/lua/?.lua;;";
20. --   lua_shared_dict ip_blacklist_cache 10m;
21. --
22. -- you can then use the below (adjust path where necessary) to check
23. -- against the blacklist in a http, server, location, if context:
24. --
25. -- access_by_lua_file /etc/nginx/lua/ip_blacklist.lua;
26. --
27. -- chris boulton, @surfichris
28.  
29. local redis_host    = "127.0.0.1"
30. local redis_port    = 6379
31.  
32. -- connection timeout for redis in ms. don't set this too high!
33. local redis_timeout = 200
34.  
35. -- check a set with this key for blacklist entries
36. local redis_key     = "ip_blacklist"
37.  
38. -- cache lookups for this many seconds
39. local cache_ttl     = 10
40.  
41. -- end configuration
42.  
43. local ip                 = ngx.var.remote_addr
44. local ip_blacklist_cache = ngx.shared.ip_blacklist_cache
45.  
46. -- setup a local cache
47. if cache_ttl > 0 then
48.   -- lookup the value in the cache
49.   local cache_result = ip_blacklist_cache:get(ip)
50.   if cache_result then
51.     --ngx.log(ngx.DEBUG, "ip_blacklist: found result in cache for "..ip.." -> "..cache_result)
52.  
53.     if cache_result == 0 then
54.     --ngx.log(ngx.DEBUG, "ip_blacklist: (cache) no result found for "..ip)
55.       return
56.     end
57.  
58.     --ngx.log(ngx.INFO, "ip_blacklist: (cache) "..ip.." is blacklisted")
59.     ngx.header.content_type = 'text/plain'
60.     ngx.say("You sent too many requests to our server, we have therefore limited your access for 60 minutes.")
61.     ngx.exit(200)
62.   end
63. end
64.  
65. -- lookup against redis
66. local resty = require "resty.redis"
67. local redis = resty:new()
68.  
69. redis:set_timeout(redis_timeout)
70.  
71. local connected, err = redis:connect(redis_host, redis_port)
72. if not connected then
73.   --ngx.log(ngx.ERR, "ip_blacklist: could not connect to redis @"..redis_host..": "..err)
74.   return
75. end
76.  
77. local result, err = redis:sismember("ip_blacklist", ip)
78. if not result then
79.   --ngx.log(ngx.ERR, "ip_blacklist: lookup failed for "..ip..":"..err)
80.   return
81. end
82.  
83. -- cache the result from redis
84. if cache_ttl > 0 then
85.   ip_blacklist_cache:set(ip, result, cache_ttl)
86. end
87.  
88. redis:set_keepalive(10000, 2)
89. if result == 0 then
90.   --ngx.log(ngx.INFO, "ip_blacklist: no result found for "..ip)
91.   return
92. end
93.  
94. --ngx.log(ngx.INFO, "ip_blacklist: "..ip.." is blacklisted")
95. ngx.header.content_type = 'text/plain'
96. ngx.say("You sent too many requests to our server, we have therefore limited your access for 60 minutes.")
97. ngx.exit(403)