openresty+lua+redis把非正常访问的域名加入黑名单

一、验证lua geoIp2是否缺少依赖

1、执行命令

/usr/local/openresty/bin/opm get anjia0532/lua-resty-maxminddb

执行安装命令报错,缺少Digest/MD5依赖

2、Digest/MD5依赖

yum -y install perl-Digest-MD5

GeoIP2 lua库依赖动态库安装，lua库依赖libmaxminddb实现对mmdb的高效访问

二、安装libmaxminddb数据库

cd /data/file/
wget https://github.com/maxmind/libmaxminddb/releases/download/1.12.2/libmaxminddb-1.12.2.tar.gz
tar -zxf libmaxminddb-1.12.2.tar.gz
cd libmaxminddb-1.12.2
./configure
make && make installsh -c "echo /usr/local/lib  >> /etc/ld.so.conf.d/local.conf"
ldconfig

三、编写操作geoIp的lua脚本

--引入Redis
local redis = require "resty.redis";
--引入rsa
local rsa = require "resty.rsa";
--引入maxminddb库
local geo=require 'resty.maxminddb';
--Redis链接ip
local ip = "192.168.0.145"
--Redis链接端口
local port = 6379
--Redis连接密码
local pass = "aa123456"
--鉴权Redis
local function connAuth()local red = redis:new();local connCount, err = red:connect(ip, port);if not connCount thenngx.say("failed to connect: ", err)close_redis(red)returnendred:set_timeouts(2000);local ok, err = red:auth(pass)if not ok thenngx.say("failed to auth: ", err)close_redis(red)returnendreturn red
end--关闭Redis
local function close_redis(red)if not red thenreturnend--释放连接(连接池实现)local pool_max_idle_time = 10000local pool_size = 100local ok, err = red:set_keepalive(pool_max_idle_time, pool_size)if not ok thenngx.say("set keepalive error : ", err)end
end--获取请求者IP
local function getIp()local clientIP = ngx.req.get_headers()["X-Real-IP"]if clientIP == nil thenclientIP = ngx.req.get_headers()["x_forwarded_for"]endif clientIP == nil thenclientIP = ngx.var.remote_addrendreturn clientIP
end
--获取用户访问IP
local clientIP = getIp();
--封禁token时间（秒）
local token_block_time= 120
--指定token访问频率计数最大值（次）
local token_max_count = 3--如果数据为空的情况下
local function is_empty(value)if type(value) == "table" thenreturn next(value) == nilelseif type(value) == "string" thenreturn #value == 0elseif type(value) == "nil" thenreturn trueendreturn false
end--过滤特殊字符串(只保留字母与数字,字母不区分大小写)
local function filter_special_chars(s)local ss = {}local k = 1while true doif k > #s then break endlocal c = string.byte(s,k)if not c then break endif c<192 thenif (c>=48 and c<=57) or (c>= 65 and c<=90) or (c>=97 and c<=122) thentable.insert(ss, string.char(c))endk = k + 1endendreturn table.concat(ss)
endif not geo.initted() thengeo.init("/usr/share/GeoIP/GeoLite2-Country.mmdb")
end--如果头部信息没有指定的参数或是指定参数的值无法解析,加入IP黑名单
--如果同样的头部参数键在封禁token时间内连续访问指定token访问频率计数最大值次以上,加入IP黑名单
local function set_blacklist()local header = ngx.req.get_headers();local red = connAuth();-- 检测iplocal res,err=geo.lookup(clientIP)if not res thenlocal res, err =  red:sismember('black-list', clientIP);if res ~= 1 thenred:sadd('black-list', clientIP)endclose_redis(red)return ngx.exit(401)elsefor k,v in pairs(res) do--只获取国家if(k == "country") then--获取国家编码for key,item in pairs(v) doif (key=="iso_code" and "CN" ~= item) thenlocal res, err =  red:sismember('black-list', clientIP);if res ~= 1 thenred:sadd('black-list', clientIP)endclose_redis(red)return ngx.exit(401)endendendendend
end-- 查看是否在黑名单里面
local function get_blacklist()local red = connAuth();local res, err =  red:sismember('black-list', clientIP);if res == 1 thenclose_redis(red);return ngx.exit(401);endclose_redis(red);
endget_blacklist();
set_blacklist();

四、nginx域名配置引用

location / {access_by_lua_file /data/wwwroot/rsa-redis.lua;try_files $uri $uri/ /index.html;}

在你需要应用的地方加上就行