Nginx Lua Redis防止CC×××实现原理:同一个外网IP、同一个网址(ngx.var.request_uri)、同一个客户端(http_user_agent)在某一段时间(CCseconds)内访问某个网址(ngx.var.request_uri)超过指定次数(CCcount),则禁止这个外网IP+同一个客户端(md5(IP+ngx.var.http_user_agent)访问这个网址(ngx.var.request_uri)一段时间(blackseconds)。
该脚本使用lua编写(依赖nginx+lua),将信息写到redis(依赖redis.lua)。

nginx重新编译
获取nginx编译参数
  [root@mfs003 ~]# `nginx -V`
      nginx version: nginx/1.12.2  
      built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)  
      built with OpenSSL 1.0.2n  7 Dec 2017
      TLS SNI support enabled
      configure arguments: `--prefix=/usr/local/nginx --user=www --group=www --with-    http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2n --with-pcre=../pcre-8.41 --with-pcre-jit --with-ld-opt=-ljemalloc `


下载对应软件
     [root@mfs003 ~]# mkdir /data/soft
     [root@mfs003 ~]# cd /data/soft   

     [root@mfs003 soft]#  wget -c http://nginx.org/download/nginx-1.12.1.tar.gz

     [root@mfs003 soft]#  wget -c http://mirrors.linuxeye.com/oneinstack/src/openssl-1.0.2l.tar.gz 
     [root@mfs003 soft]#  wget -c http://mirrors.linuxeye.com/oneinstack/src/pcre-8.41.tar.gz
     [root@mfs003 soft]#  wget -c http://luajit.org/download/LuaJIT-2.0.5.tar.gz 
     [root@mfs003 soft]#  git clone https://github.com/simpl/ngx_devel_kit.git 
     [root@mfs003 soft]#   git clone https://github.com/openresty/lua-nginx-module.git

解压nginx和打lua补丁

    [root@mfs003 soft]# tar xf nginx-1.12.1.tar.gz  

    [root@mfs003 soft]# tar xzf LuaJIT-2.0.5.tar.gz

    [root@mfs003 soft]# pushd LuaJIT-2.0.5

    [root@mfs003 soft]# make && make install

    [root@mfs003 soft]# popd

    [root@mfs003 soft]# pushd nginx-1.12.1
    [root@mfs003 nginx-1.12.1]#  ./configure  --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2n --with-pcre=../pcre-8.41 --with-pcre-jit --with-ld-opt=-ljemalloc --add-module=../lua-nginx-module --add-module=../ngx_devel_kit

    [root@mfs003 nginx-1.12.1]#  make   

    [root@mfs003 nginx-1.12.1]#  mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_back  

    [root@mfs003 nginx-1.12.1]#  cp objs/nginx /usr/local/nginx/sbin/nginx

检查nginx语法

    [root@mfs003 nginx-1.12.1]# nginx -t

获取redis.lua文件并下载到conf目录下

    [root@mfs003 nginx-1.12.1]# cd /usr/local/nginx/conf/ 

    [root@mfs003 conf]# wget https://github.com/openresty/lua-resty-redis/raw/master/lib/resty/redis.lua
    [root@mfs003 conf]# vim nginx.conf #在/usr/local/nginx/conf/nginx.conf http { }中添加:
        lua_package_path "/usr/local/nginx/conf/redis.lua";
         nginx通过lua和redis防止CC×××_第1张图片
 

防止CC规则waf.lua

  将下面内容保存在/usr/local/nginx/conf/waf.lua
[root@mfs003 conf]# cat waf.lua

    local get_headers = ngx.req.get_headers
    local ua = ngx.var.http_user_agent
    local uri = ngx.var.request_uri
    local url = ngx.var.host .. uri
    local redis = require 'redis'
    local red = redis.new()
    local CCcount = 20
    local CCseconds = 60
    local RedisIP = '127.0.0.1'
    local RedisPORT = 6379
    local blackseconds = 7200
    if ua == nil then
        ua = "unknown"
    end
    if (uri == "/wp-admin.php") then
        CCcount=20
        CCseconds=60
    end
    red:set_timeout(100)
    local ok, err = red.connect(red, RedisIP, RedisPORT)
    if ok then
        red.connect(red, RedisIP, RedisPORT)
        function getClientIp()
            IP = ngx.req.get_headers()["X-Real-IP"]
            if IP == nil then
                IP = ngx.req.get_headers()["x_forwarded_for"]
            end
            if IP == nil then
                IP  = ngx.var.remote_addr
            end
            if IP == nil then
                IP  = "unknown"
            end
            return IP
        end
        local token = getClientIp() .. "." .. ngx.md5(url .. ua)
        local req = red:exists(token)
        if req == 0 then
            red:incr(token)
            red:expire(token,CCseconds)
        else
            local times = tonumber(red:get(token))
            if times >= CCcount then
                local blackReq = red:exists("black." .. token)
                if (blackReq == 0) then
                    red:set("black." .. token,1)
                    red:expire("black." .. token,blackseconds)
                    red:expire(token,blackseconds)
                    ngx.exit(580)
                else
                    ngx.exit(580)
                end
                return
            else
                red:incr(token)
            end
        end
        return
    end


在虚拟主机里面加载waf.lua文件

nginx通过lua和redis防止CC×××_第2张图片
测试
打开浏览器访问主页   快速点击多次  然后看结果
nginx通过lua和redis防止CC×××_第3张图片