如果是第一次看这个文章,可以先看下这篇openresty介绍性的文章:Openresty概述介绍
有些时候在你配置nginx的时候可能需要做一些黑名单拦截的操作,设置黑名单,拦截存在这个黑名单中的url,使用openresty很方便,使用lua代码在access_by_lua*的过程中添加过滤代码即可实现,实现这个功能需要以下几步操作。
- 编写lua脚本文件,实现lua拦截
- 添加依赖库源文件到lualib目录
- 拷贝lua代码文件到路径
- 修改nginx.conf文件,引入黑名单拦截代码
1、编写lua脚本文件
lua脚本文件只要是获取每次请求的url地址,然后再根据黑名单的数据库中的黑名单进行匹配,存在则将请求拦截,并返回禁止访问的信息。
lua脚本文件如下:名字命为access.lua
local iputils = require("resty.iputils")
local cjson = require "cjson"
iputils.enable_lrucache()
local blacklist_ips = {
"127.0.0.1",
"10.10.10.0/24",
"192.168.0.0/16",
}
local retdata = {
code=ngx.HTTP_FORBIDDEN,
message="黑名单禁止访问",
data={}
}
local blacklist = iputils.parse_cidrs(blacklist_ips)
if iputils.ip_in_cidrs(ngx.var.remote_addr, blacklist) then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.header["Content-type"] = 'application/json'
local output = cjson.encode(retdata)
ngx.say(output)
return ngx.exit(0)
end
从上面的代码可以看到,我们用到了一个外部库,叫iputils,我们把它require进来,然后使用它来做黑名单筛选,其实在这个地方稍微改一下代码,也可以做白名单的限制,大家应该已经明白了;然后就是代码里面是写死的一个白名单,这个只是我目前的一个教程,你可以通过其他方式获取,比如说通过一个变量,然后这个变量可以通过定时任务通过http请求或者啥获取最新的黑名单来更新这个变量。定时任务一般通过下面的操作方法进行:
--延时5秒设置
local delay = 5
--每隔5秒定时执行handle_fun这个函数
ok,err=ngx.timer.every(delay, handle_fun)
2、添加依赖库源文件
如果使用上面的代码执行的时候报找不到模块iputils的话,将文件iputils.lua文件拷贝到路径/usr/local/openresty/lualib/resty下面,iputils.lua文件内容如下:
local ipairs, tonumber, tostring, type = ipairs, tonumber, tostring, type
local bit = require("bit")
local lshift = bit.lshift
local band = bit.band
local bor = bit.bor
local xor = bit.bxor
local byte = string.byte
local str_find = string.find
local str_sub = string.sub
local lrucache = nil
local _M = {
_VERSION = '0.3.0',
}
local mt = { __index = _M }
-- Precompute binary subnet masks...
local bin_masks = {}
for i=0,32 do
bin_masks[tostring(i)] = lshift((2^i)-1, 32-i)
end
-- ... and their inverted counterparts
local bin_inverted_masks = {}
for i=0,32 do
local i = tostring(i)
bin_inverted_masks[i] = xor(bin_masks[i], bin_masks["32"])
end
local log_err
if ngx then
log_err = function(...)
ngx.log(ngx.ERR, ...)
end
else
log_err = function(...)
print(...)
end
end
local function enable_lrucache(size)
local size = size or 4000 -- Cache the last 4000 IPs (~1MB memory) by default
local lrucache_obj, err = require("resty.lrucache").new(size)
if not lrucache_obj then
return nil, "failed to create the cache: " .. (err or "unknown")
end
lrucache = lrucache_obj
return true
end
_M.enable_lrucache = enable_lrucache
local function split_octets(input)
local pos = 0
local prev = 0
local octs = {}
for i=1, 4 do
pos = str_find(input, ".", prev, true)
if pos then
if i == 4 then
-- Should not have a match after 4 octets
return nil, "Invalid IP"
end
octs[i] = str_sub(input, prev, pos-1)
elseif i == 4 then
-- Last octet, get everything to the end
octs[i] = str_sub(input, prev, -1)
break
else
return nil, "Invalid IP"
end
prev = pos +1
end
return octs
end
local function unsign(bin)
if bin < 0 then
return 4294967296 + bin
end
return bin
end
local function ip2bin(ip)
if lrucache then
local get = lrucache:get(ip)
if get then
return get[1], get[2]
end
end
if type(ip) ~= "string" then
return nil, "IP must be a string"
end
local octets = split_octets(ip)
if not octets or #octets ~= 4 then
return nil, "Invalid IP"
end
-- Return the binary representation of an IP and a table of binary octets
local bin_octets = {}
local bin_ip = 0
for i,octet in ipairs(octets) do
local bin_octet = tonumber(octet)
if not bin_octet or bin_octet < 0 or bin_octet > 255 then
return nil, "Invalid octet: "..tostring(octet)
end
bin_octets[i] = bin_octet
bin_ip = bor(lshift(bin_octet, 8*(4-i) ), bin_ip)
end
bin_ip = unsign(bin_ip)
if lrucache then
lrucache:set(ip, {bin_ip, bin_octets})
end
return bin_ip, bin_octets
end
_M.ip2bin = ip2bin
local function split_cidr(input)
local pos = str_find(input, "/", 0, true)
if not pos then
return {input}
end
return {str_sub(input, 1, pos-1), str_sub(input, pos+1, -1)}
end
local function parse_cidr(cidr)
local mask_split = split_cidr(cidr, '/')
local net = mask_split[1]
local mask = mask_split[2] or "32"
local mask_num = tonumber(mask)
if not mask_num or (mask_num > 32 or mask_num < 0) then
return nil, "Invalid prefix: /"..tostring(mask)
end
local bin_net, err = ip2bin(net) -- Convert IP to binary
if not bin_net then
return nil, err
end
local bin_mask = bin_masks[mask] -- Get masks
local bin_inv_mask = bin_inverted_masks[mask]
local lower = band(bin_net, bin_mask) -- Network address
local upper = bor(lower, bin_inv_mask) -- Broadcast address
return unsign(lower), unsign(upper)
end
_M.parse_cidr = parse_cidr
local function parse_cidrs(cidrs)
local out = {}
local i = 1
for _,cidr in ipairs(cidrs) do
local lower, upper = parse_cidr(cidr)
if not lower then
log_err("Error parsing '", cidr, "': ", upper)
else
out[i] = {lower, upper}
i = i+1
end
end
return out
end
_M.parse_cidrs = parse_cidrs
local function ip_in_cidrs(ip, cidrs)
local bin_ip, bin_octets = ip2bin(ip)
if not bin_ip then
return nil, bin_octets
end
for _,cidr in ipairs(cidrs) do
if bin_ip >= cidr[1] and bin_ip <= cidr[2] then
return true
end
end
return false
end
_M.ip_in_cidrs = ip_in_cidrs
local function binip_in_cidrs(bin_ip_ngx, cidrs)
if 4 ~= #bin_ip_ngx then
return false, "invalid IP address"
end
local bin_ip = 0
for i=1,4 do
bin_ip = bor(lshift(bin_ip, 8), byte(bin_ip_ngx, i))
end
bin_ip = unsign(bin_ip)
for _,cidr in ipairs(cidrs) do
if bin_ip >= cidr[1] and bin_ip <= cidr[2] then
return true
end
end
return false
end
_M.binip_in_cidrs = binip_in_cidrs
return _M
3、拷贝lua代码文件到路径
拷贝access.lua文件到路径/usr/local/openresty/nginx/lua/
4、修改nginx.conf文件
修改nginx.conf文件,引入黑名单拦截代码,修改nginx.conf文件内容如下:
#user nobody;
worker_processes 1;
error_log logs/error.log error;
error_log logs/error.log notice;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# access_log logs/access.log main;
# error_log logs/error.log error;
lua_package_path "/usr/local/openresty/lualib/?.lua;/usr/local/openresty/nginx/lua/?.lua;";
lua_package_cpath "/usr/local/openresty/lualib/?.so;;";
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
proxy_connect_timeout 3s;
#gzip on;
# HTTPS server
server {
listen 80;
server_name localhost;
location / {
access_by_lua_file lua/access.lua;
#设置代理目的url变量
proxy_pass https://127.0.0.1;
}
}
}
lua_package_path "/usr/local/openresty/lualib/?.lua;/usr/local/openresty/nginx/lua/?.lua;";
和
access_by_lua_file lua/access.lua;
第一句是添加lua代码的路径,第二句代码是指定所有请求都会经过access.lua文件,在里面做黑名单操作,过滤到有一样的ip地址,黑名单拦截功能就会生效,返回给请求者错误码和禁止访问的错误信息。