Alex的博客

本博客的文章均为原创,是本人从事行业多年来所遇见一些小问题的解决心得,希望可以帮助到大家!



OpenResty 实现动态封ip

OpenResty官网:

http://openresty.org/cn/download.html

yum install pcre-devel openssl-devel gcc curl postgresql-devel

wget https://openresty.org/download/openresty-1.13.6.1.tar.gz

tar -xzvf openresty-1.13.6.1.tar.gz

cd  openresty-1.13.6.1

./configure --prefix=/software/openresty     --with-luajit    --without-http_redis2_module  --with-http_iconv_module  --with-http_postgres_module

gmake

gmake install

/software/openresty/bin/openresty

cd /software/openresty/nginx/conf

vi nginx.conf

在server段添加 也可以建立一个虚拟机这里只是测试

location /test {
                default_type 'text/html';
                charset utf-8;
                lua_code_cache off;
                content_by_lua_file conf/access.lua;
        }

vi access.lua

local redis = require "resty.redis"
local red = redis:new()

red:set_timeout(1000) -- 1 sec

local ok, err = red:connect("127.0.0.1", 6379)
if not ok then
  ngx.say("failed to connect: ", err)
  return
end

local res, err = red:get("192.168.1.254")
if not res then
    ngx.say("failed to get dog: ", err)
    return
end

if res == '1' then
return ngx.exit(ngx.HTTP_FORBIDDEN)
--ngx.say("xxxx")
end

创建服务 其实和nginx是一样的

vi /etc/init.d/nginx

#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig:   - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
#               proxy and IMAP/POP3 proxy server
# processname: nginx
# config:      /software/openresty/nginx/conf/nginx.conf
# config:      /etc/sysconfig/nginx
# pidfile:     /var/run/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx="/software/openresty/nginx/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/software/openresty/nginx/conf/nginx.conf"

[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

lockfile=/var/lock/subsys/nginx

start() {
    [ -x $nginx ] || exit 5
    [ -f $NGINX_CONF_FILE ] || exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
}

stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
killall -9 nginx
}

restart() {
    configtest || return $?
    stop
    sleep 1
    start
}

reload() {
    configtest || return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
RETVAL=$?
    echo
}

force_reload() {
    restart
}

configtest() {
$nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
    status $prog
}

rh_status_q() {
    rh_status >/dev/null 2>&1
}

case "$1" in
    start)
        rh_status_q && exit 0
    $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart|configtest)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    status)
        rh_status
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
            ;;
    *)
      echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
        exit 2

esac


这里的规则是当redis数据库中有键192.168.1.254的记录就直接返回403 否则就不做任何操作


至于封禁ip哪里来就要用python来读日志实现了

这样做的目的是为了不影响 网站的业务访问性能

如果直接在lua里面进行检查判断再入库 的话会比较慢 

由于时间有限我先讲一下思路明天再进行实现

python没一秒钟去读取一次日志 然后去检查 哪些ip可疑 然后写到redis里去

然后每次访问的时候lua都会去redis里面检查是否有黑名单ip有就返回错误



浏览425  评论0  Alex于 2018-1-22 18:26
发言