如何通过openresty 限制国外Ip访问

参考代码

https://gitee.com/xiaoyun461/blocking-external-networks

首先 需要的依赖:

libmaxminddb

https://github.com/maxmind/libmaxminddb

maxmind-geoip

https://github.com/Dreamacro/maxmind-geoip

libmaxminddb 需要gcc编译,可用 Dockerfile 里面编译生成so文件,然后复制到 openresty/openresty:centos-rpm 镜像中,然后把 Country.mmdb(Ip数据库) 也复制到镜像中

Dockerfile 如下:

############## 构建 libmaxminddb #####################
FROM gcc:9 AS libmaxminddb-build
ADD lib/libmaxminddb-1.8.0.tar.gz /
WORKDIR /libmaxminddb-1.8.0
RUN ./configure && make && make install && ldconfig -v && ls -f  /usr/local/lib/libmaxminddb*

############## 构建 openresty #####################
FROM openresty/openresty:centos-rpm
ENV TZ Asia/Shanghai
COPY --from=libmaxminddb-build   /usr/local/lib/libmaxminddb.so.0.0.7 /lib64
COPY  geoip/20231212/Country.mmdb /etc/nginx/mmdb/Country.mmdb

RUN  ln -snf /usr/share/zoneinfo/"$TZ" /etc/localtime && echo "$TZ" > /etc/timezone \
     && opm get anjia0532/lua-resty-maxminddb \
     && ln -s /lib64/libmaxminddb.so.0.0.7 /lib64/libmaxminddb.so \
     && ldconfig -v

然后配置lua脚本,OpenResty(也称为 ngx_openresty)是一个基于 Nginx 与 Lua 的高性能 Web 平台,

lua脚本如下:

local function get_client_ip()
    local headers = ngx.req.get_headers()
    local clientIP = headers["x-forwarded-for"]
    if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
        clientIP = headers["Proxy-Client-IP"]
    end
    if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
        clientIP = headers["WL-Proxy-Client-IP"]
    end
    if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
        clientIP = ngx.var.remote_addr
    end
    -- 对于通过多个代理的情况,第一个IP为客户端真实IP,多个IP按照','分割
    if clientIP ~= nil and string.len(clientIP) > 15 then
        local pos = string.find(clientIP, ",", 1)
        clientIP = string.sub(clientIP, 1, pos - 1)
    end
    return clientIP;
end

local function check_cn(ip)
    local geo = require 'resty.maxminddb'
    if not geo.initted() then
        geo.init("/etc/nginx/mmdb/Country.mmdb")
    end
    local res, err = geo.lookup(ip)
    if not res then
        ngx.log(ngx.ERR, ' failed to lookup by ip , reason :', err)
    else
        for k, v in pairs(res) do
            if (k == "country") then
                for key, item in pairs(v) do
                    if (key == "iso_code") then
                        if item == "CN" then
                            ngx.log(ngx.INFO, ' this counrty: ', item)
                            return 1;
                        else
                            ngx.log(ngx.ERR, ' this counrty: ', item)
                            return 0;
                        end
                    end
                end
            end
        end
    end
end



-- 获取nginx 本地缓存
local cache_ngx = ngx.shared.dis_cache;
-- 获取 请求IP
local clientIP = get_client_ip();


--根据IP 获取本地黑名单缓存数据
local banIpCache = cache_ngx:get('ban_ip_' .. clientIP);
if banIpCache == 1 then
    ngx.log(ngx.ERR, "cache_black_ip:", clientIP)
    ngx.exit(403)
else
    -- 判断是否是国外IP, 直接设为黑名单,并且返回403
    local flag = check_cn(clientIP);
    if flag == 0 then
        -- 本地缓存黑名单 时间1小时
        ngx.log(ngx.ERR, "set_local_black_ip:", clientIP)
        cache_ngx:set('ban_ip_' .. clientIP, 1, 60 * 60);
        ngx.exit(403)
    end
end




nginx.conf 配置文件 也要加入 lua脚本校验,以及 增加128M的本地缓存,方便过滤

nginx.conf如下:

pcre_jit on;



#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

error_log  logs/error.log  warn;

#pid        logs/nginx.pid;


worker_processes auto;

events {
    worker_connections  20480;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    # Enables or disables the use of underscores in client request header fields.
    # When the use of underscores is disabled, request header fields whose names contain underscores are marked as invalid and become subject to the ignore_invalid_headers directive.
    # underscores_in_headers off;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /dev/stdout  main;



#         Log in JSON Format
        log_format nginxlog_json escape=json '{ "timestamp": "$time_local", '
        '"remote_addr": "$remote_addr", '
        '"remote_user": "remote_user", '
         '"body_bytes_sent": $body_bytes_sent, '
         '"request_time": $request_time, '
         '"response_status": $status, '
         '"request": "$request", '
         '"request_method": "$request_method", '
         '"host": "$host",'
         '"upstream_addr": "$upstream_addr",'
         '"upstream_host": "$upstream_http_host",'
         '"upstream_resp_time": "$upstream_response_time",'
         '"http_x_forwarded_for": "$http_x_forwarded_for",'
         '"http_referrer": "$http_referer", '
         '"http_user_agent": "$http_user_agent", '
         '"http_version": "$server_protocol" ';

	map $time_iso8601 $logdate {
        '~^(?\d{4}-\d{2}-\d{2})' $ymd;
        default                       'date-not-found';
    }

    access_log logs/access_json-$logdate.log  nginxlog_json;

    # See Move default writable paths to a dedicated directory (#119)
    # https://github.com/openresty/docker-openresty/issues/119
    client_body_temp_path /var/run/openresty/nginx-client-body;
    proxy_temp_path       /var/run/openresty/nginx-proxy;
    fastcgi_temp_path     /var/run/openresty/nginx-fastcgi;
    uwsgi_temp_path       /var/run/openresty/nginx-uwsgi;
    scgi_temp_path        /var/run/openresty/nginx-scgi;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    client_max_body_size 150m;

#     lua cache
    lua_shared_dict dis_cache 128m;

    gzip on;
    gzip_static  on;
    gzip_min_length 1k;     # 设置允许压缩的页面最小字节数
    gzip_buffers 4 16k;     # 用来存储 gzip 的压缩结果
    gzip_http_version 1.1;  # 识别 HTTP 协议版本
    gzip_comp_level 2;      # 设置 gzip 的压缩比 1-9。1 压缩比最小但最快,而 9 相反
    gzip_types gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; # 指定压缩类型
    gzip_proxied any;       # 无论后端服务器的 headers 头返回什么信息,都无条件启用压缩

    # 限制国外ip
    access_by_lua_file /etc/nginx/lua/access_limit_open.lua;





    include /etc/nginx/conf.d/*.conf;

}


全部 样例代码 在

https://gitee.com/xiaoyun461/blocking-external-networks

可自行修改

你可能感兴趣的:(openresty,tcp/ip,网络协议)