home page » System operation and maintenance » Nginx Lua Redis prevents CC attacks

Nginx Lua Redis prevents CC attacks

 
No comment   5745 views

The implementation principle of Nginx Lua Redis to prevent CC attacks: if the same Internet IP, the same Web address (ngx. var. request_uri), and the same client (http_user_agent) visit a certain Web address (ngx. var. request_uri) more than a specified number of times (CCcount) in a certain period of time (CCseconds), the Internet IP+the same client (md5 (IP+ngx. var. http_user_agent) is prohibited Visit this website (ngx. var. request_uri) for a period of time (blackseconds).

This script is written in Lua (depending on nginx+Lua) and writes information to Redis (depending on Redis. lua).

Nginx lua module installation

Recompile nginx, install the lua module, or use it directly《 OneinStack 》Install the OpenResty native modification module

  1. pushd /root/oneinstack/src
  2. wget -c  http://nginx.org/download/nginx-1.10.3.tar.gz
  3. wget -c  http://mirrors.linuxeye.com/oneinstack/src/openssl-1.0.2k.tar.gz
  4. wget -c  http://mirrors.linuxeye.com/oneinstack/src/pcre-8.39.tar.gz
  5. wget -c  http://luajit.org/download/LuaJIT-2.0.4.tar.gz
  6. git clone  https://github.com/simpl/ngx_devel_kit.git
  7. git clone  https://github.com/openresty/lua-nginx-module.git
  8. tar xzf nginx-1.10.3.tar.gz
  9. tar xzf openssl-1.0.2k.tar.gz
  10. tar xzf pcre-8.39.tar.gz
  11. tar xzf LuaJIT-2.0.4.tar.gz
  12. pushd LuaJIT-2.0.4
  13. make && make install
  14. popd
  15. pushd nginx-1.10.3
  16. ./configure  --prefix =/usr/local/nginx  --user = www   --group = www  --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module  --with-openssl =../ openssl-1.0.2k -- with-pcre =../ pcre-8.39 --with-pcre-jit  --with-ld-opt =-ljemalloc --add-module =../ lua-nginx-module  --add-module =../ ngx_devel_kit
  17. make
  18. mv /usr/local/nginx/sbin/nginx{,_bk}
  19. cp objs/nginx /usr/local/nginx/sbin
  20. Nginx - t # Check syntax

Load redis.lua

  1. mkdir /usr/local/nginx/conf/lua
  2. cd /usr/local/nginx/conf/lua
  3. wget  https://github.com/openresty/lua-resty-redis/raw/master/lib/resty/redis.lua

Add in/usr/local/nginx/conf/nginx. conf http {}:

  1. #the Nginx bundle:
  2. lua_package_path "/usr/local/nginx/conf/lua/redis.lua;;";

Prevent CC rule waf.lua

Save the following content in/usr/local/nginx/conf/lua/waf.lua

  1. local  get_headers  =  ngx .req.get_headers
  2. local  ua  =  ngx .var.http_user_agent
  3. local  uri  =  ngx .var.request_uri
  4. local  url  =  ngx .var.host ..  uri
  5. local  redis  =  require  'redis'
  6. local  red  =  redis .new()
  7. local  CCcount  =  twenty
  8. local  CCseconds  =  sixty
  9. local  RedisIP  =  '127.0.0.1'
  10. local  RedisPORT  =  six thousand three hundred and seventy-nine
  11. local  blackseconds  =  seven thousand and two hundred
  13. if  ua  == nil then
  14.      ua  =  "unknown"
  15. end
  17. if ( uri  == "/wp-admin.php") then
  18.      CCcount = twenty
  19.      CCseconds = sixty
  20. end
  22. red:set_timeout(100)
  23. local ok,  err  =  red .connect(red, RedisIP, RedisPORT)
  25. if ok then
  26.     red.connect(red, RedisIP, RedisPORT)
  28.     function getClientIp()
  29.          IP  =  ngx .req.get_headers()["X-Real-IP"]
  30.         if  IP  == nil then
  31.              IP  =  ngx .req.get_headers()["x_forwarded_for"]
  32.         end
  33.         if  IP  == nil then
  34.              IP   =  ngx .var.remote_addr
  35.         end
  36.         if  IP  == nil then
  37.              IP   =  "unknown"
  38.         end
  39.         return IP
  40.     end
  42.     local  token  =  getClientIp () ..  "." ..  ngx.md5(url .. ua)
  43.     local  req  =  red :exists(token)
  44.     if  req  == 0 then
  45.         red:incr(token)
  46.         red:expire(token, CCseconds)
  47.     else
  48.         local  times  =  tonumber (red:get(token))
  49.         if times  > = CCcount then
  50.             local  blackReq  =  red :exists("black." .. token)
  51.             if ( blackReq  == 0) then
  52.                 red:set("black." .. token,1)
  53.                 red:expire("black." .. token, blackseconds)
  54.                 red:expire(token, blackseconds)
  55.                 ngx.exit(503)
  56.             else
  57.                 ngx.exit(503)
  58.             end
  59.             return
  60.         else
  61.             red:incr(token)
  62.         end
  63.     end
  64.     return
  65. end

Nginx virtual host loads waf.lua

In the virtual host configuration file/usr/local/nginx/conf/vhost/oneinstack.com.conf

  1. access_by_lua_file "/usr/local/nginx/conf/lua/waf.lua";

test

Within one minute, a page can be quickly clicked more than 20 times to log in to Redis, and access to the key opened by Black is disabled (nginx 503)

Reprint: Nginx Lua Redis Prevents CC Attacks | Linux O&M Notes

Original link: Nginx Lua Redis prevents CC attacks , Please indicate the source for reprinting!

fabulous two