• 学派吧-由新云网络独家赞助-https://www.sq9.cn。
> 服务器运维 > unix > nginx Lua Redis防止CC攻击 | centos运维

nginx Lua Redis防止CC攻击 | centos运维

unix admin 6年前 (2018-11-21) 1498次浏览 已收录 0个评论 扫描二维码

Nginx Lua Redis防止CC攻击实现原理:同一个外网IP、同一个网址(ngx.var.request_uri)、同一个客户端(http_user_agent)在某一段时间(CCseconds)内访问某个网址(ngx.var.request_uri)超过指定次数(CCcount),则禁止这个外网IP+同一个客户端(md5(IP+ngx.var.http_user_agent)访问这个网址(ngx.var.request_uri)一段时间(blackseconds)。

该脚本使用lua编写(依赖nginx+lua),将信息写到redis(依赖redis.lua)。

Nginx lua模块安装

重新编译nginx,安装lua模块,或者直接使用《OneinStack》安装OpenResty自带改模块

<ol class="dp-xml" start="1">
<li class="alt">pushd /root/oneinstack/src</li>
<li class="">wget -c http://nginx.org/download/nginx-1.12.1.tar.gz</li>
<li class="alt">wget -c http://mirrors.linuxeye.com/oneinstack/src/openssl-1.0.2l.tar.gz</li>
<li class="">wget -c http://mirrors.linuxeye.com/oneinstack/src/pcre-8.41.tar.gz</li>
<li class="alt">wget -c http://luajit.org/download/LuaJIT-2.0.5.tar.gz</li>
<li class="">git clone https://github.com/simpl/ngx_devel_kit.git</li>
<li class="alt">git clone https://github.com/openresty/lua-nginx-module.git</li>
<li class="">tar xzf nginx-1.12.1.tar.gz</li>
<li class="alt">tar xzf openssl-1.0.2l.tar.gz</li>
<li class="">tar xzf pcre-8.41.tar.gz</li>
<li class="alt">tar xzf LuaJIT-2.0.5.tar.gz</li>
<li class="">pushd LuaJIT-2.0.5</li>
<li class="alt">make && make install</li>
<li class="">popd</li>
<li class="alt">pushd nginx-1.12.1</li>
<li class="">./configure <span class="attribute">--prefix</span>=/usr/local/nginx <span class="attribute">--user</span>=<span class="attribute-value">www</span> <span class="attribute">--group</span>=<span class="attribute-value">www</span> --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module <span class="attribute">--with-openssl</span>=../openssl-1.0.2l --<span class="attribute">with-pcre</span>=../pcre-8.41 --with-pcre-jit <span class="attribute">--with-ld-opt</span>=-ljemalloc <span class="attribute">--add-module</span>=../lua-nginx-module <span class="attribute">--add-module</span>=../ngx_devel_kit</li>
<li class="alt">make</li>
<li class="">mv /usr/local/nginx/sbin/nginx{,_bk}</li>
<li class="alt">cp objs/nginx /usr/local/nginx/sbin</li>
<li class="">nginx -t #检查语法</li>

加载redis.lua

  1. mkdir /usr/local/nginx/conf/lua
  2. cd /usr/local/nginx/conf/lua
  3. wget https://github.com/openresty/lua-resty-redis/raw/master/lib/resty/redis.lua

在/usr/local/nginx/conf/nginx.conf http { }中添加:

  1. #the Nginx bundle:
  2. lua_package_path “/usr/local/nginx/conf/lua/redis.lua;;”;

防止CC规则waf.lua

将下面内容保存在/usr/local/nginx/conf/lua/waf.lua

<ol class="dp-xml" start="1">
<li class="alt">local <span class="attribute">get_headers</span> = <span class="attribute-value">ngx</span>.req.get_headers</li>
<li class="">local <span class="attribute">ua</span> = <span class="attribute-value">ngx</span>.var.http_user_agent</li>
<li class="alt">local <span class="attribute">uri</span> = <span class="attribute-value">ngx</span>.var.request_uri</li>
<li class="">local <span class="attribute">url</span> = <span class="attribute-value">ngx</span>.var.host .. uri</li>
<li class="alt">local <span class="attribute">redis</span> = <span class="attribute-value">require</span> 'redis'</li>
<li class="">local <span class="attribute">red</span> = <span class="attribute-value">redis</span>.new()</li>
<li class="alt">local <span class="attribute">CCcount</span> = <span class="attribute-value">20</span></li>
<li class="">local <span class="attribute">CCseconds</span> = <span class="attribute-value">60</span></li>
<li class="alt">local <span class="attribute">RedisIP</span> = <span class="attribute-value">'127.0.0.1'</span></li>
<li class="">local <span class="attribute">RedisPORT</span> = <span class="attribute-value">6379</span></li>
<li class="alt">local <span class="attribute">blackseconds</span> = <span class="attribute-value">7200</span></li>
<li class=""></li>
<li class="alt">if <span class="attribute">ua</span> == nil then</li>
<li class="">    <span class="attribute">ua</span> = <span class="attribute-value">"unknown"</span></li>
<li class="alt">end</li>
<li class=""></li>
<li class="alt">if (<span class="attribute">uri</span> == "/wp-admin.php") then</li>
<li class="">    <span class="attribute">CCcount</span>=<span class="attribute-value">20</span></li>
<li class="alt">    <span class="attribute">CCseconds</span>=<span class="attribute-value">60</span></li>
<li class="">end</li>
<li class="alt"></li>
<li class="">red:set_timeout(100)</li>
<li class="alt">local ok, <span class="attribute">err</span> = <span class="attribute-value">red</span>.connect(red, RedisIP, RedisPORT)</li>
<li class=""></li>
<li class="alt">if ok then</li>
<li class="">    red.connect(red, RedisIP, RedisPORT)</li>
<li class="alt"></li>
<li class="">    function getClientIp()</li>
<li class="alt">        <span class="attribute">IP</span> = <span class="attribute-value">ngx</span>.req.get_headers()["X-Real-IP"]</li>
<li class="">        if <span class="attribute">IP</span> == nil then</li>
<li class="alt">            <span class="attribute">IP</span> = <span class="attribute-value">ngx</span>.req.get_headers()["x_forwarded_for"]</li>
<li class="">        end</li>
<li class="alt">        if <span class="attribute">IP</span> == nil then</li>
<li class="">            <span class="attribute">IP</span>  = <span class="attribute-value">ngx</span>.var.remote_addr</li>
<li class="alt">        end</li>
<li class="">        if <span class="attribute">IP</span> == nil then</li>
<li class="alt">            <span class="attribute">IP</span>  = <span class="attribute-value">"unknown"</span></li>
<li class="">        end</li>
<li class="alt">        return IP</li>
<li class="">    end</li>
<li class="alt"></li>
<li class="">    local <span class="attribute">token</span> = <span class="attribute-value">getClientIp</span>() .. "." .. ngx.md5(url .. ua)</li>
<li class="alt">    local <span class="attribute">req</span> = <span class="attribute-value">red</span>:exists(token)</li>
<li class="">    if <span class="attribute">req</span> == 0 then</li>
<li class="alt">        red:incr(token)</li>
<li class="">        red:expire(token,CCseconds)</li>
<li class="alt">    else</li>
<li class="">        local <span class="attribute">times</span> = <span class="attribute-value">tonumber</span>(red:get(token))</li>
<li class="alt">        if times <span class="tag">></span>= CCcount then</li>
<li class="">            local <span class="attribute">blackReq</span> = <span class="attribute-value">red</span>:exists("black." .. token)</li>
<li class="alt">            if (<span class="attribute">blackReq</span> == 0) then</li>
<li class="">                red:set("black." .. token,1)</li>
<li class="alt">                red:expire("black." .. token,blackseconds)</li>
<li class="">                red:expire(token,blackseconds)</li>
<li class="alt">                ngx.exit(580)</li>
<li class="">            else</li>
<li class="alt">                ngx.exit(580)</li>
<li class="">            end</li>
<li class="alt">            return</li>
<li class="">        else</li>
<li class="alt">            red:incr(token)</li>
<li class="">        end</li>
<li class="alt">    end</li>
<li class="">    return</li>
<li class="alt">end</li>
</ol>

Nginx虚拟主机加载waf.lua

在虚拟主机配置文件/usr/local/nginx/conf/vhost/oneinstack.com.conf

  1. access_by_lua_file “/usr/local/nginx/conf/lua/waf.lua”;

测试

一分钟之内,一个页面快速点击20次以上,登录redis,看到black开通的key即被禁止访问(nginx 503)


欢迎来我们学派吧进行投稿-IDC商-网络开发商 都可以来协商。

学派吧 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:nginx Lua Redis防止CC攻击 | centos运维
喜欢 (0)
[pay@sq9.cn]
分享 (0)
关于作者:
腾讯云-运维运维 QQ 690624
作者主页 赞助作者
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址