openresty 动态黑名单和ip频率限制lua脚本

2022 年 09 月 05 日

993次浏览

6677字数

nginx配置

  location @java {
            
                header_filter_by_lua_file /www/server/nginx/lua/handle_cors.lua;
                if ($request_method = 'OPTIONS') {
                    return 204;
                }
            
              access_by_lua_file /www/server/nginx/lua/access_limit.lua;
            proxy_pass http://java;
        }

--access_limit.lua文件
local json = require("cjson")
local redis = require "resty.redis"
local ngx_log = ngx.log
local ngx_ERR = ngx.ERR
local ngx_INFO = ngx.INFO
local ngx_exit = ngx.exit
local ngx_var = ngx.var

-- 黑名单缓存60秒
local cache_idle = 60
local forbidden_list = ngx.shared.forbidden_list

--redis
local ip = "redis地址"
local port = 6379
local password = "redis密码"




local function close_redis(red)
    if not red then
        return
    end
    -- 释放连接(连接池实现)
    local pool_max_idle_time = 10000 -- 毫秒
    local pool_size = 100  -- 连接池大小
    local ok, err = red:set_keepalive(pool_max_idle_time, pool_size)
    if not ok then
        ngx_log(ngx_ERR, "set redis keepalive error : ", err)
    end
end



local function getIp()
       local headers = ngx.req.get_headers()

       local clientIP = headers["x-forwarded-for"]
        if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
               clientIP = headers["Proxy-Client-IP"]
        end
        if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
               clientIP = headers["WL-Proxy-Client-IP"]
        end
        if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
               clientIP = ngx.var.remote_addr
        end
        -- 对于通过多个代理的情况，第一个IP为客户端真实IP,多个IP按照','分割
        if clientIP ~= nil and string.len(clientIP) >15  then
               local pos  = string.find(clientIP, ",", 1)
               clientIP = string.sub(clientIP,1,pos-1)
        end

        return clientIP

end

local clientIp = getIp();
--local key = "limit:frequency:login:" ..ngx.var.remote_addr

local function frequency()

    local red = redis:new()
    red:set_timeout(1000)
    local ok, err = red:connect(ip, port)
    if not ok then
        ngx_log(ngx_ERR, "connect to redis error : ", err)
        close_redis(red)
        return
    end
    local res, err = red:auth(password)
    if not res then
        ngx_log(ngx_ERR, "failed to authenticate: ", err)
        close_redis(red)
        return
    end



  local frequency_key = "limit:frequency:login:" ..clientIp
  --得到此客户端IP的频次
  local resp,err = red:get(frequency_key)
  if not resp then
      close_redis(red)
      return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
  end

  if resp == ngx.null then
      red:set(frequency_key, 1)
      red:expire(frequency_key, 60) -- 设置过期时间，即返回403的时间为100秒
  end

  if type(resp) == "string" then
      if tonumber(resp) > 60 then
          close_redis(red)
          local obj = {
            code = 4201,
            msg = "服务繁忙,请稍后再试"
          }
          ngx.header['Content-Type'] = 'application/json; charset=utf-8'
          ngx.say(json.encode(obj))
          return ngx.exit(ngx.HTTP_OK)
        --return ngx.exit(ngx.HTTP_FORBIDDEN)
      end
  end

  ok, err = red:incr(frequency_key)
  if not ok then
      close_redis(red)
      return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
  end
  close_redis(red)
end
frequency()





-- 从redis获取ip黑名单列表
local function get_forbidden_list()
    local red = redis:new()
    red:set_timeout(1000)
    local ok, err = red:connect(ip, port)
    if not ok then
        ngx_log(ngx_ERR, "connect to redis error : ", err)
        close_redis(red)
        return
    end
    local res, err = red:auth(password)
    if not res then
        ngx_log(ngx_ERR, "failed to authenticate: ", err)
        close_redis(red)
        return
    end
    local resp, err = red:smembers("forbidden_list")
    if not resp then
        ngx_log(ngx_ERR, "get redis connect error : ", err)
        close_redis(red)
        return
    end
    -- 得到的数据为空处理
    if resp == ngx.null then
        resp = nil
    end
    close_redis(red)
    return resp
end
-- 刷新黑名单
local function reflush_forbidden_list()
    local current_time = ngx.now()
    local last_update_time = forbidden_list:get("last_update_time");
    if last_update_time == nil or last_update_time < (current_time - cache_idle) then
        local new_forbidden_list = get_forbidden_list();
        if not new_forbidden_list then
            return
        end
        forbidden_list:flush_all()
        for i, forbidden_ip in ipairs(new_forbidden_list) do
            forbidden_list:set(forbidden_ip, true);
        end
        forbidden_list:set("last_update_time", current_time);
    end
end
reflush_forbidden_list()

if forbidden_list:get(clientIp) then
    ngx_log(ngx_INFO, "forbidden ip refused access : ", clientIp)
    local obj = {
          code = 4202,
          msg = "服务繁忙,请稍后再试(code:4202)"
       }

     ngx.header['Content-Type'] = 'application/json; charset=utf-8'
     ngx.say(json.encode(obj))
     return ngx.exit(ngx.HTTP_OK)

    --return ngx_exit(ngx.HTTP_FORBIDDEN)
end

跨域处理

--handle_cors.lua文件
ngx.header["Access-Control-Allow-Origin"] = "*"
ngx.header["Access-Control-Allow-Headers"] = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range, Eid,Uuid,Authorization,Activity-Id,Channel"

if ngx.var.request_method == "OPTIONS" then
    ngx.header["Access-Control-Max-Age"] = "1728000"
    ngx.header["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS, PUT, DELETE"
    ngx.header["Content-Length"] = "0"
    ngx.header['Content-Type'] = 'application/json; charset=utf-8'
end

openresty 动态黑名单和ip频率限制lua脚本

小漠 • 2022 年 09 月 05 日

nginx配置

  location @java {
            
                header_filter_by_lua_file /www/server/nginx/lua/handle_cors.lua;
                if ($request_method = 'OPTIONS') {
                    return 204;
                }
            
              access_by_lua_file /www/server/nginx/lua/access_limit.lua;
            proxy_pass http://java;
        }

--access_limit.lua文件
local json = require("cjson")
local redis = require "resty.redis"
local ngx_log = ngx.log
local ngx_ERR = ngx.ERR
local ngx_INFO = ngx.INFO
local ngx_exit = ngx.exit
local ngx_var = ngx.var

-- 黑名单缓存60秒
local cache_idle = 60
local forbidden_list = ngx.shared.forbidden_list

--redis
local ip = "redis地址"
local port = 6379
local password = "redis密码"




local function close_redis(red)
    if not red then
        return
    end
    -- 释放连接(连接池实现)
    local pool_max_idle_time = 10000 -- 毫秒
    local pool_size = 100  -- 连接池大小
    local ok, err = red:set_keepalive(pool_max_idle_time, pool_size)
    if not ok then
        ngx_log(ngx_ERR, "set redis keepalive error : ", err)
    end
end



local function getIp()
       local headers = ngx.req.get_headers()

       local clientIP = headers["x-forwarded-for"]
        if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
               clientIP = headers["Proxy-Client-IP"]
        end
        if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
               clientIP = headers["WL-Proxy-Client-IP"]
        end
        if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
               clientIP = ngx.var.remote_addr
        end
        -- 对于通过多个代理的情况，第一个IP为客户端真实IP,多个IP按照','分割
        if clientIP ~= nil and string.len(clientIP) >15  then
               local pos  = string.find(clientIP, ",", 1)
               clientIP = string.sub(clientIP,1,pos-1)
        end

        return clientIP

end

local clientIp = getIp();
--local key = "limit:frequency:login:" ..ngx.var.remote_addr

local function frequency()

    local red = redis:new()
    red:set_timeout(1000)
    local ok, err = red:connect(ip, port)
    if not ok then
        ngx_log(ngx_ERR, "connect to redis error : ", err)
        close_redis(red)
        return
    end
    local res, err = red:auth(password)
    if not res then
        ngx_log(ngx_ERR, "failed to authenticate: ", err)
        close_redis(red)
        return
    end



  local frequency_key = "limit:frequency:login:" ..clientIp
  --得到此客户端IP的频次
  local resp,err = red:get(frequency_key)
  if not resp then
      close_redis(red)
      return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
  end

  if resp == ngx.null then
      red:set(frequency_key, 1)
      red:expire(frequency_key, 60) -- 设置过期时间，即返回403的时间为100秒
  end

  if type(resp) == "string" then
      if tonumber(resp) > 60 then
          close_redis(red)
          local obj = {
            code = 4201,
            msg = "服务繁忙,请稍后再试"
          }
          ngx.header['Content-Type'] = 'application/json; charset=utf-8'
          ngx.say(json.encode(obj))
          return ngx.exit(ngx.HTTP_OK)
        --return ngx.exit(ngx.HTTP_FORBIDDEN)
      end
  end

  ok, err = red:incr(frequency_key)
  if not ok then
      close_redis(red)
      return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
  end
  close_redis(red)
end
frequency()





-- 从redis获取ip黑名单列表
local function get_forbidden_list()
    local red = redis:new()
    red:set_timeout(1000)
    local ok, err = red:connect(ip, port)
    if not ok then
        ngx_log(ngx_ERR, "connect to redis error : ", err)
        close_redis(red)
        return
    end
    local res, err = red:auth(password)
    if not res then
        ngx_log(ngx_ERR, "failed to authenticate: ", err)
        close_redis(red)
        return
    end
    local resp, err = red:smembers("forbidden_list")
    if not resp then
        ngx_log(ngx_ERR, "get redis connect error : ", err)
        close_redis(red)
        return
    end
    -- 得到的数据为空处理
    if resp == ngx.null then
        resp = nil
    end
    close_redis(red)
    return resp
end
-- 刷新黑名单
local function reflush_forbidden_list()
    local current_time = ngx.now()
    local last_update_time = forbidden_list:get("last_update_time");
    if last_update_time == nil or last_update_time < (current_time - cache_idle) then
        local new_forbidden_list = get_forbidden_list();
        if not new_forbidden_list then
            return
        end
        forbidden_list:flush_all()
        for i, forbidden_ip in ipairs(new_forbidden_list) do
            forbidden_list:set(forbidden_ip, true);
        end
        forbidden_list:set("last_update_time", current_time);
    end
end
reflush_forbidden_list()

if forbidden_list:get(clientIp) then
    ngx_log(ngx_INFO, "forbidden ip refused access : ", clientIp)
    local obj = {
          code = 4202,
          msg = "服务繁忙,请稍后再试(code:4202)"
       }

     ngx.header['Content-Type'] = 'application/json; charset=utf-8'
     ngx.say(json.encode(obj))
     return ngx.exit(ngx.HTTP_OK)

    --return ngx_exit(ngx.HTTP_FORBIDDEN)
end

跨域处理

--handle_cors.lua文件
ngx.header["Access-Control-Allow-Origin"] = "*"
ngx.header["Access-Control-Allow-Headers"] = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range, Eid,Uuid,Authorization,Activity-Id,Channel"

if ngx.var.request_method == "OPTIONS" then
    ngx.header["Access-Control-Max-Age"] = "1728000"
    ngx.header["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS, PUT, DELETE"
    ngx.header["Content-Length"] = "0"
    ngx.header['Content-Type'] = 'application/json; charset=utf-8'
end

openresty 动态黑名单和ip频率限制lua脚本

发表评论取消回复

docker命令操作

Protobuf 安装

laravel与lumen压力测试

欢迎使用 Typecho

小程序源码反编译

dart sqlite小白教程

Elasticsearch 多种跨机房灾备方案对比

php-fpm和nginx进程数量设定方案

网页动态采集工具puppeteer docker版本

superviord安装

openresty 动态黑名单和ip频率限制lua脚本

发表评论 取消回复

openresty 动态黑名单和ip频率限制lua脚本

发表评论取消回复