Guest User

Untitled

a guest
May 2nd, 2016
296
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -- a quick LUA access script for nginx to check IP addresses against an
  2. -- `ip_blacklist` set in Redis, and if a match is found send a HTTP 403.
  3. --
  4. -- allows for a common blacklist to be shared between a bunch of nginx
  5. -- web servers using a remote redis instance. lookups are cached for a
  6. -- configurable period of time.
  7. --
  8. -- block an ip:
  9. --   redis-cli SADD ip_blacklist 10.1.1.1
  10. -- remove an ip:
  11. --   redis-cli SREM ip_blacklist 10.1.1.1
  12. --
  13. -- also requires lua-resty-redis from:
  14. --   https://github.com/agentzh/lua-resty-redis
  15. --
  16. -- your nginx http context should contain something similar to the
  17. -- below: (assumes resty/redis.lua exists in /etc/nginx/lua/)
  18. --
  19. --   lua_package_path "/etc/nginx/lua/?.lua;;";
  20. --   lua_shared_dict ip_blacklist_cache 10m;
  21. --
  22. -- you can then use the below (adjust path where necessary) to check
  23. -- against the blacklist in a http, server, location, if context:
  24. --
  25. -- access_by_lua_file /etc/nginx/lua/ip_blacklist.lua;
  26. --
  27. -- chris boulton, @surfichris
  28.  
  29. local redis_host    = "127.0.0.1"
  30. local redis_port    = 6379
  31.  
  32. -- connection timeout for redis in ms. don't set this too high!
  33. local redis_timeout = 200
  34.  
  35. -- check a set with this key for blacklist entries
  36. local redis_key     = "ip_blacklist"
  37.  
  38. -- cache lookups for this many seconds
  39. local cache_ttl     = 10
  40.  
  41. -- end configuration
  42.  
  43. local ip                 = ngx.var.remote_addr
  44. local ip_blacklist_cache = ngx.shared.ip_blacklist_cache
  45.  
  46. -- setup a local cache
  47. if cache_ttl > 0 then
  48.   -- lookup the value in the cache
  49.   local cache_result = ip_blacklist_cache:get(ip)
  50.   if cache_result then
  51.     --ngx.log(ngx.DEBUG, "ip_blacklist: found result in cache for "..ip.." -> "..cache_result)
  52.  
  53.     if cache_result == 0 then
  54.     --ngx.log(ngx.DEBUG, "ip_blacklist: (cache) no result found for "..ip)
  55.       return
  56.     end
  57.  
  58.     --ngx.log(ngx.INFO, "ip_blacklist: (cache) "..ip.." is blacklisted")
  59.     ngx.header.content_type = 'text/plain'
  60.     ngx.say("You sent too many requests to our server, we have therefore limited your access for 60 minutes.")
  61.     ngx.exit(200)
  62.   end
  63. end
  64.  
  65. -- lookup against redis
  66. local resty = require "resty.redis"
  67. local redis = resty:new()
  68.  
  69. redis:set_timeout(redis_timeout)
  70.  
  71. local connected, err = redis:connect(redis_host, redis_port)
  72. if not connected then
  73.   --ngx.log(ngx.ERR, "ip_blacklist: could not connect to redis @"..redis_host..": "..err)
  74.   return
  75. end
  76.  
  77. local result, err = redis:sismember("ip_blacklist", ip)
  78. if not result then
  79.   --ngx.log(ngx.ERR, "ip_blacklist: lookup failed for "..ip..":"..err)
  80.   return
  81. end
  82.  
  83. -- cache the result from redis
  84. if cache_ttl > 0 then
  85.   ip_blacklist_cache:set(ip, result, cache_ttl)
  86. end
  87.  
  88. redis:set_keepalive(10000, 2)
  89. if result == 0 then
  90.   --ngx.log(ngx.INFO, "ip_blacklist: no result found for "..ip)
  91.   return
  92. end
  93.  
  94. --ngx.log(ngx.INFO, "ip_blacklist: "..ip.." is blacklisted")
  95. ngx.header.content_type = 'text/plain'
  96. ngx.say("You sent too many requests to our server, we have therefore limited your access for 60 minutes.")
  97. ngx.exit(403)
RAW Paste Data