SHARE
TWEET

Untitled

a guest May 2nd, 2016 177 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -- a quick LUA access script for nginx to check IP addresses against an
  2. -- `ip_blacklist` set in Redis, and if a match is found send a HTTP 403.
  3. --
  4. -- allows for a common blacklist to be shared between a bunch of nginx
  5. -- web servers using a remote redis instance. lookups are cached for a
  6. -- configurable period of time.
  7. --
  8. -- block an ip:
  9. --   redis-cli SADD ip_blacklist 10.1.1.1
  10. -- remove an ip:
  11. --   redis-cli SREM ip_blacklist 10.1.1.1
  12. --
  13. -- also requires lua-resty-redis from:
  14. --   https://github.com/agentzh/lua-resty-redis
  15. --
  16. -- your nginx http context should contain something similar to the
  17. -- below: (assumes resty/redis.lua exists in /etc/nginx/lua/)
  18. --
  19. --   lua_package_path "/etc/nginx/lua/?.lua;;";
  20. --   lua_shared_dict ip_blacklist_cache 10m;
  21. --
  22. -- you can then use the below (adjust path where necessary) to check
  23. -- against the blacklist in a http, server, location, if context:
  24. --
  25. -- access_by_lua_file /etc/nginx/lua/ip_blacklist.lua;
  26. --
  27. -- chris boulton, @surfichris
  28.  
  29. local redis_host    = "127.0.0.1"
  30. local redis_port    = 6379
  31.  
  32. -- connection timeout for redis in ms. don't set this too high!
  33. local redis_timeout = 200
  34.  
  35. -- check a set with this key for blacklist entries
  36. local redis_key     = "ip_blacklist"
  37.  
  38. -- cache lookups for this many seconds
  39. local cache_ttl     = 10
  40.  
  41. -- end configuration
  42.  
  43. local ip                 = ngx.var.remote_addr
  44. local ip_blacklist_cache = ngx.shared.ip_blacklist_cache
  45.  
  46. -- setup a local cache
  47. if cache_ttl > 0 then
  48.   -- lookup the value in the cache
  49.   local cache_result = ip_blacklist_cache:get(ip)
  50.   if cache_result then
  51.     --ngx.log(ngx.DEBUG, "ip_blacklist: found result in cache for "..ip.." -> "..cache_result)
  52.  
  53.     if cache_result == 0 then
  54.     --ngx.log(ngx.DEBUG, "ip_blacklist: (cache) no result found for "..ip)
  55.       return
  56.     end
  57.  
  58.     --ngx.log(ngx.INFO, "ip_blacklist: (cache) "..ip.." is blacklisted")
  59.     ngx.header.content_type = 'text/plain'
  60.     ngx.say("You sent too many requests to our server, we have therefore limited your access for 60 minutes.")
  61.     ngx.exit(200)
  62.   end
  63. end
  64.  
  65. -- lookup against redis
  66. local resty = require "resty.redis"
  67. local redis = resty:new()
  68.  
  69. redis:set_timeout(redis_timeout)
  70.  
  71. local connected, err = redis:connect(redis_host, redis_port)
  72. if not connected then
  73.   --ngx.log(ngx.ERR, "ip_blacklist: could not connect to redis @"..redis_host..": "..err)
  74.   return
  75. end
  76.  
  77. local result, err = redis:sismember("ip_blacklist", ip)
  78. if not result then
  79.   --ngx.log(ngx.ERR, "ip_blacklist: lookup failed for "..ip..":"..err)
  80.   return
  81. end
  82.  
  83. -- cache the result from redis
  84. if cache_ttl > 0 then
  85.   ip_blacklist_cache:set(ip, result, cache_ttl)
  86. end
  87.  
  88. redis:set_keepalive(10000, 2)
  89. if result == 0 then
  90.   --ngx.log(ngx.INFO, "ip_blacklist: no result found for "..ip)
  91.   return
  92. end
  93.  
  94. --ngx.log(ngx.INFO, "ip_blacklist: "..ip.." is blacklisted")
  95. ngx.header.content_type = 'text/plain'
  96. ngx.say("You sent too many requests to our server, we have therefore limited your access for 60 minutes.")
  97. ngx.exit(403)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top