nginx + lua 접근 제한

3523 단어 luanginx접근 제한

local redis = require 'resty.redis'  
local cache = redis.new()  
local ok ,err = cache.connect(cache,'127.0.0.1','6379')  
cache:set_timeout(60000)  
--       ,   label   
if not ok then  
  goto label  
end  

--      
is_white ,err = cache:sismember('whitelist',ngx.var.remote_addr)  
if is_white == 1 then  
  goto label  
end  

--      
is_black ,err = cache:sismember('blacklist',ngx.var.remote_addr)  
if is_black == 1 then  
  ngx.exit(ngx.HTTP_FORBIDDEN)  
  goto label  
end  

ip_forum_edittopic, err = cache:get('ip_forum_edittopic:' .. ngx.var.remote_addr)  
if ip_forum_edittopic == ngx.null then  
 res , err = cache:set('ip_forum_edittopic:' .. ngx.var.remote_addr, 1)  
 res , err = cache:expire('ip_forum_edittopic:' .. ngx.var.remote_addr, 43200) -- 12h    
end  

is_forum_ban , err = cache:get('ip_forum_edittopic:' .. ngx.var.remote_addr)  
if tonumber(is_forum_ban) > 80 then  
  local source = ngx.encode_base64(ngx.var.scheme .. '://' ..  
    ngx.var.host .. ':' .. ngx.var.server_port .. ngx.var.request_uri)  
  local dest = 'http://127.0.0.1:5000/' .. '?continue=' .. source  
  ngx.redirect(dest,302)  
  goto label  
else  
  res , err = cache:incr('ip_forum_edittopic:' .. ngx.var.remote_addr)  
end  

-- ip         
ip_time_out = 60  
-- ip           
connect_count = 45  
-- 60s   45  ban  

--   ip  (         )  
ip_ban_time, err = cache:get('ip_ban_time:' .. ngx.var.remote_addr)  
if ip_ban_time == ngx.null then  
  ip_ban_time = 300  
  res , err = cache:set('ip_ban_time:' .. ngx.var.remote_addr, ip_ban_time)  
  res , err = cache:expire('ip_ban_time:' .. ngx.var.remote_addr, 43200) -- 12h    
end  

--   ip         ,             
is_ban , err = cache:get('ban:' .. ngx.var.remote_addr)  
if tonumber(is_ban) == 1 then  
  -- source              ,                  
  local source = ngx.encode_base64(ngx.var.scheme .. '://' ..  
    ngx.var.host .. ':' .. ngx.var.server_port .. ngx.var.request_uri)  
  local dest = 'http://127.0.0.1:5000/' .. '?continue=' .. source  
  ngx.redirect(dest,302)  
  goto label  
end  

-- ip    key  
start_time , err = cache:get('time:' .. ngx.var.remote_addr)  
-- ip  key  
ip_count , err = cache:get('count:' .. ngx.var.remote_addr)  

--   ip     key           ip            ,     key   key  
--         ip            , ip  +1,  
--   ip      ip    ,   ip   key 1,      key        ip    

if start_time == ngx.null or os.time() - tonumber(start_time) > ip_time_out then  
  res , err = cache:set('time:' .. ngx.var.remote_addr , os.time())  
  res , err = cache:set('count:' .. ngx.var.remote_addr , 1)  
else  
  ip_count = ip_count + 1  
  res , err = cache:incr('count:' .. ngx.var.remote_addr)  
  --       ip    
  res , err = cache:sadd('statistic_total_ip:' .. os.date('%x'), ngx.var.remote_addr)  
  if ip_count >= connect_count then  
    res , err = cache:set('ban:' .. ngx.var.remote_addr , 1)  
    res , err = cache:expire('ban:' .. ngx.var.remote_addr , ip_ban_time)  
    res , err = cache:incrby('ip_ban_time:' .. ngx.var.remote_addr, ip_ban_time)  
    --       ip    
    res , err = cache:sadd('statistic_ban_ip:' .. os.date('%x'), ngx.var.remote_addr)  
  end  
end  

::label::  
local ok , err = cache:close() 

좋은 웹페이지 즐겨찾기