Nginx Lua Redis防止CC×××實現原理:同一個外網IP、同一個網址(ngx.var.request_uri)、同一個客戶端(http_user_agent)在某一段時間(CCseconds)內訪問某個網址(ngx.var.request_uri)超過指定次數(CCcount),則禁止這個外網IP+同一個客戶端(md5(IP+ngx.var.http_user_agent)訪問這個網址(ngx.var.request_uri)一段時間(blackseconds)。
該腳本使用lua編寫(依賴nginx+lua),將信息寫到redis(依賴redis.lua)。
nginx重新編譯
獲取nginx編譯參數
[root@mfs003 ~]# `nginx -V`
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2n 7 Dec 2017
TLS SNI support enabled
configure arguments: `--prefix=/usr/local/nginx --user=www --group=www --with- http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2n --with-pcre=../pcre-8.41 --with-pcre-jit --with-ld-opt=-ljemalloc `
下載對應軟件
[root@mfs003 ~]# mkdir /data/soft
[root@mfs003 ~]# cd /data/soft
[root@mfs003 soft]# wget -c http://nginx.org/download/nginx-1.12.1.tar.gz
[root@mfs003 soft]# wget -c http://mirrors.linuxeye.com/oneinstack/src/openssl-1.0.2l.tar.gz
[root@mfs003 soft]# wget -c http://mirrors.linuxeye.com/oneinstack/src/pcre-8.41.tar.gz
[root@mfs003 soft]# wget -c http://luajit.org/download/LuaJIT-2.0.5.tar.gz
[root@mfs003 soft]# git clone https://github.com/simpl/ngx_devel_kit.git
[root@mfs003 soft]# git clone https://github.com/openresty/lua-nginx-module.git
解壓nginx和打lua補丁
[root@mfs003 soft]# tar xf nginx-1.12.1.tar.gz
[root@mfs003 soft]# tar xzf LuaJIT-2.0.5.tar.gz
[root@mfs003 soft]# pushd LuaJIT-2.0.5
[root@mfs003 soft]# make && make install
[root@mfs003 soft]# popd
[root@mfs003 soft]# pushd nginx-1.12.1
[root@mfs003 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2n --with-pcre=../pcre-8.41 --with-pcre-jit --with-ld-opt=-ljemalloc --add-module=../lua-nginx-module --add-module=../ngx_devel_kit
[root@mfs003 nginx-1.12.1]# make
[root@mfs003 nginx-1.12.1]# mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_back
[root@mfs003 nginx-1.12.1]# cp objs/nginx /usr/local/nginx/sbin/nginx
檢查nginx語法
[root@mfs003 nginx-1.12.1]# nginx -t
獲取redis.lua文件並下載到conf目錄下
[root@mfs003 nginx-1.12.1]# cd /usr/local/nginx/conf/
[root@mfs003 conf]# wget https://github.com/openresty/lua-resty-redis/raw/master/lib/resty/redis.lua
[root@mfs003 conf]# vim nginx.conf #在/usr/local/nginx/conf/nginx.conf http { }中添加:
lua_package_path "/usr/local/nginx/conf/redis.lua";
防止CC規則waf.lua
將下面內容保存在/usr/local/nginx/conf/waf.lua
[root@mfs003 conf]# cat waf.lua
local get_headers = ngx.req.get_headers
local ua = ngx.var.http_user_agent
local uri = ngx.var.request_uri
local url = ngx.var.host .. uri
local redis = require 'redis'
local red = redis.new()
local CCcount = 20
local CCseconds = 60
local RedisIP = '127.0.0.1'
local RedisPORT = 6379
local blackseconds = 7200
if ua == nil then
ua = "unknown"
end
if (uri == "/wp-admin.php") then
CCcount=20
CCseconds=60
end
red:set_timeout(100)
local ok, err = red.connect(red, RedisIP, RedisPORT)
if ok then
red.connect(red, RedisIP, RedisPORT)
function getClientIp()
IP = ngx.req.get_headers()["X-Real-IP"]
if IP == nil then
IP = ngx.req.get_headers()["x_forwarded_for"]
end
if IP == nil then
IP = ngx.var.remote_addr
end
if IP == nil then
IP = "unknown"
end
return IP
end
local token = getClientIp() .. "." .. ngx.md5(url .. ua)
local req = red:exists(token)
if req == 0 then
red:incr(token)
red:expire(token,CCseconds)
else
local times = tonumber(red:get(token))
if times >= CCcount then
local blackReq = red:exists("black." .. token)
if (blackReq == 0) then
red:set("black." .. token,1)
red:expire("black." .. token,blackseconds)
red:expire(token,blackseconds)
ngx.exit(580)
else
ngx.exit(580)
end
return
else
red:incr(token)
end
end
return
end
在虛擬主機裏面加載waf.lua文件
測試
打開瀏覽器訪問主頁 快速點擊多次 然後看結果