|
Nginx Lua Redis防止CC攻击实现原理:同一个外网IP、同一个网址(ngx.var.request_uri)、同一个客户端(http_user_agent)在某一段时间(CCseconds)内访问某个网址(ngx.var.request_uri)超过指定次数(CCcount),则禁止这个外网IP+同一个客户端(md5(IP+ngx.var.http_user_agent)访问这个网址(ngx.var.request_uri)一段时间(blackseconds)。
该脚本使用lua编写(依赖nginx+lua),将信息写到redis(依赖redis.lua)。
Nginx lua模块安装
重新编译nginx,安装lua模块
[ol]pushd /root/oneinstack/srcwget -c http://nginx.org/download/nginx-1.12.1.tar.gzwget -c http://mirrors.linuxeye.com/oneinstack/src/openssl-1.0.2l.tar.gzwget -c http://mirrors.linuxeye.com/oneinstack/src/pcre-8.41.tar.gzwget -c http://luajit.org/download/LuaJIT-2.0.5.tar.gzgit clone https://github.com/simpl/ngx_devel_kit.gitgit clone https://github.com/openresty/lua-nginx-module.gittar xzf nginx-1.12.1.tar.gztar xzf openssl-1.0.2l.tar.gztar xzf pcre-8.41.tar.gztar xzf LuaJIT-2.0.5.tar.gzpushd LuaJIT-2.0.5make && make installpopdpushd nginx-1.12.1./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2l --with-pcre=../pcre-8.41 --with-pcre-jit --with-ld-opt=-ljemalloc --add-module=../lua-nginx-module --add-module=../ngx_devel_kitmakemv /usr/local/nginx/sbin/nginx{,_bk}cp objs/nginx /usr/local/nginx/sbinnginx -t #检查语法[/ol]复制代码
加载redis.lua
[ol]mkdir /usr/local/nginx/conf/luacd /usr/local/nginx/conf/luawget https://github.com/openresty/lua-resty-redis/raw/master/lib/resty/redis.lua[/ol]复制代码
在/usr/local/nginx/conf/nginx.conf http { }中添加:
[ol]#the Nginx bundle:lua_package_path "/usr/local/nginx/conf/lua/redis.lua;;";[/ol]复制代码
防止CC规则waf.lua
将下面内容保存在/usr/local/nginx/conf/lua/waf.lua
[ol]local get_headers = ngx.req.get_headerslocal ua = ngx.var.http_user_agentlocal uri = ngx.var.request_urilocal url = ngx.var.host .. urilocal redis = require 'redis'local red = redis.new()local CCcount = 20local CCseconds = 60local RedisIP = '127.0.0.1'local RedisPORT = 6379local blackseconds = 7200if ua == nil then ua = "unknown"endif (uri == "/wp-admin.php") then CCcount=20 CCseconds=60endred:set_timeout(100)local ok, err = red.connect(red, RedisIP, RedisPORT)if ok then red.connect(red, RedisIP, RedisPORT) function getClientIp() IP = ngx.req.get_headers()["X-Real-IP"] if IP == nil then IP = ngx.req.get_headers()["x_forwarded_for"] end if IP == nil then IP = ngx.var.remote_addr end if IP == nil then IP = "unknown" end return IP end local token = getClientIp() .. "." .. ngx.md5(url .. ua) local req = red:exists(token) if req == 0 then red:incr(token) red:expire(token,CCseconds) else local times = tonumber(red:get(token)) if times >= CCcount then local blackReq = red:exists("black." .. token) if (blackReq == 0) then red:set("black." .. token,1) red:expire("black." .. token,blackseconds) red:expire(token,blackseconds) ngx.exit(580) else ngx.exit(580) end return else red:incr(token) end end returnend[/ol]复制代码
Nginx虚拟主机加载waf.lua
在虚拟主机配置文件/usr/local/nginx/conf/vhost/oneinstack.com.conf
[ol]access_by_lua_file "/usr/local/nginx/conf/lua/waf.lua";[/ol]复制代码 |
|