当前位置: 首页 > java >正文

openresty如何禁止海外ip访问

java 2025/7/27 23:21:39

        前几天,我有一个徒弟问我,如何禁止海外ip访问他的网站系统?操作系统采用的是centos7.9,发布服务采用的是openresty。通过日志他发现,有很多类似以下数据

{"host":"172.30.7.95","clientip":"122.189.224.120","size":1818,"responsetime":2025-05-27T14:28:53,"http_host":"www.pingan.com","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"199.204.97.58","size":154,"responsetime":2025-05-27T14:29:01,"http_host":"_","url":"-","agent":"-","country_code":"US","country_name":"United States","city_name":"-","status":"400"}
{"host":"172.30.7.95","clientip":"122.189.224.28","size":1818,"responsetime":2025-05-27T14:29:16,"http_host":"lsw-fast.lenovo.com.cn","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"204.76.203.219","size":1818,"responsetime":2025-05-27T14:29:22,"http_host":"116.62.152.21","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46","country_code":"NL","country_name":"The Netherlands","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"43.133.253.253","size":1818,"responsetime":2025-05-27T14:28:48,"http_host":"www.anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1","country_code":"KR","country_name":"South Korea","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"43.133.253.253","size":1818,"responsetime":2025-05-27T14:28:48,"http_host":"www.anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1","country_code":"KR","country_name":"South Korea","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"42.83.147.54","size":587,"responsetime":2025-05-27T14:33:12,"http_host":"anxundata.com","url":"/index.html","agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/74.0.3729.169 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"200"}
{"host":"172.30.7.95","clientip":"45.82.255.188","size":1818,"responsetime":2025-05-27T14:36:35,"http_host":"anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36","country_code":"CY","country_name":"Cyprus","city_name":"-","status":"401"}

        我看过数据之后,直接给出答案使用geoip2模块与GeoLite2的ip库匹配禁止访问就行。下面就是geoip2模块与GeoLite2的ip库安装步骤(以下步骤是基于openresty已经安装成功的操作手法)。

一、增加依赖

yum install -y geoip-devel libmaxminddb-devel

二、geoip2模块安装

wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/3.4.tar.gz #下载geoip2模块
tar -zxf ngx_http_geoip2_module-3.4.tar.gz #解压文件包
mv ngx_http_geoip2_module-3.4/ /usr/local/src/ngx_http_geoip2_module #将文件拷贝到指定目录

三、下载及安装GeoLite2的ip库

tar -zxf GeoLite2-Country_20250523.tar.gz #将文件解压
cd GeoLite2-Country_20250523/ #进入文件
mv GeoLite2-Country.mmdb /usr/share/GeoIP/ #将IP库复制到GeoIP文件夹中

四、重新编译openresty

./configure --prefix=/usr/local/openresty --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre-jit --with-stream --with-http_geoip_module --add-module=/usr/local/src/ngx_http_geoip2_module
gmake && gmake install

五、修改nginx主配置

vi /usr/local/openresty/nginx/conf/nginx.conf
user www;
worker_processes 2;
worker_cpu_affinity auto;
error_log /data/nginx/error.log;
worker_rlimit_nofile 65535;
pid  /data/nginx/nginx.pid;events {worker_connections  10240;use epoll;multi_accept on;
}http {include       mime.types;geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {auto_reload 60m; #每隔60分钟自动重载数据库$geoip2_data_country_code country iso_code; #IP所在-国家的编码$geoip2_data_country_name country names en; #IP所在-国家名$geoip2_data_city_name city names; #IP所在-城市名}default_type  application/octet-stream;map $time_iso8601 $logdate {'~^(?<ymd>\\d{4}-\\d{2}-\\d{2})' $ymd;default                       'date-not-found';}map $time_iso8601 $request_times {'~^(?<ymdhms>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2})' $ymdhms;default                       'date-not-found';}map $geoip2_data_country_code $allowed_country {default no; #默认禁止所有访问CN yes; #只针对中国开放访问权限}log_format access-upstream '{"host":"$server_addr",''"clientip":"$remote_addr",''"size":$body_bytes_sent,''"responsetime":$request_times,''"http_host":"$host",''"url":"$uri",''"agent":"$http_user_agent",''"country_code":"$geoip2_data_country_code",''"country_name":"$geoip2_data_country_name",''"city_name":"$geoip2_data_city_name",''"status":"$status"}';sendfile on;tcp_nopush on;tcp_nodelay on;server_names_hash_bucket_size 128;server_names_hash_max_size 512;keepalive_timeout  1000s;client_header_timeout 15s;client_body_timeout 15s;send_timeout 1000s;proxy_cache_path /data/nginx levels=1:2 keys_zone=nginx-cache:20m max_size=50g inactive=168h;client_body_buffer_size 512k;client_header_buffer_size 256k;client_max_body_size 1024m;large_client_header_buffers 2 8k;proxy_connect_timeout 1000s;proxy_send_timeout 1000s;proxy_read_timeout 1000s;proxy_buffer_size 128k;proxy_buffers 8 256k;proxy_busy_buffers_size 256k;proxy_temp_file_write_size 256k;proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;fastcgi_intercept_errors on;fastcgi_ignore_client_abort on;fastcgi_connect_timeout 1000s;fastcgi_send_timeout 1000s;fastcgi_read_timeout 1000s;fastcgi_buffer_size 128k;fastcgi_buffers 8 256k;fastcgi_busy_buffers_size 256k;fastcgi_temp_file_write_size 256k;gzip on;gzip_min_length 1k;gzip_buffers 4 32k;gzip_http_version 1.1;gzip_comp_level 6;gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;gzip_vary on;gzip_disable "MSIE [1-6].";include vhost/*.conf;
}

六、修改具体域名配置

location / {if ($allowed_country = no) {return 401;}index /data/wwwroot/index.html;
}

下一期将带来openresty+lua+redis把非正常访问的域名加入黑名单

http://www.xdnf.cn/news/9249.html

相关文章:

  • 【git】git rebase 和 git pull区别?
  • NSSCTF [NISACTF 2022]ezheap
  • 微信小程序的软件测试用例编写指南及示例--性能测试用例
  • 使用Gemini, LangChain, Gradio打造一个书籍推荐系统 (第三部分)
  • 查服务器信息 常用的一些命令 =^^ =
  • 共现矩阵的SVD降维与低维词向量计算详解
  • AI 智能体的那些事—架构设计关键点
  • 【Java实战】集合排序方法与长度获取方法辨析(易懂版)
  • 11.Java I/O 流:文件读写与数据持久化​
  • 夏季用电高峰如何防患于未“燃”?电力测温技术守护城市生命线
  • 使用 Redis 作为向量数据库
  • 5G 核心网 UE 状态深度剖析:机制、迁移与演进
  • 新版Chrome浏览器加载eDrawings 3D Viewer控件网页查看DWG、DXF
  • 利用Tushare+pyEcharts进行沪深证券数据采集与分析
  • 单向循环链表与双向链表
  • 洗鞋店干洗店线上预约管理系统;
  • 【OS安装与使用】part7-ubuntu22.04LTS 的 docker 安装与使用(实例:MTransServer服务部署)
  • AI辅助写作 从提笔难到高效创作的智能升级
  • WPF事件处理器+x名称空间
  • 基于多流特征融合与领域知识整合的CNN-xLSTM-xAtt网络用于光电容积脉搏波信号的无创血压估计【代码已复现】
  • C语言学习笔记三 --- V
  • 深信服防火墙拦截了DELETE、PUT请求,未达到nginx及后端服务
  • brep2seq 论文笔记
  • 《软件工程》第 16 章 - 软件项目管理与过程改进
  • C-字符串函数
  • 解析极限编程-拥抱变化(第2版)笔记
  • 【C/C++】多线程下自旋锁的行为逻辑
  • C语言创意编程:用趣味实例玩转基础语法(2)
  • ES 在大查询场景下导致 GC 频繁,如何定位和解决?
  • webstorm调试vite工程(后端开发人员版)