nginx ip黑名单动态封禁的例子

  cd LuaJIT-2.0.5  make  make install PREFIX=/usr/local/luajit

  export LUAJIT_LIB=/usr/local/luajit/lib  export LUAJIT_INC=/usr/local/luajit/include/luajit-2.1     ./configure --prefix=/nginx   --with-ld-opt="-Wl,-rpath,/usr/local/luajit/lib"   --add-module=/opt/ngx_devel_kit-0.3.1rc1   --add-module=/opt/lua-nginx-module-0.10.14rc3     make -j2  make install  ln -s /nginx/sbin/nginx /usr/sbin/nginx

  http {    server_tokens off;    lua_package_path "/usr/local/lib/lua/?.lua;;";    lua_shared_dict ip_blacklist 4m;  }     server {    set $real_ip $remote_addr;    if ( $http_x_forwarded_for ~ "^(d+.d+.d+.d+)" ) {      set $real_ip $1;    }       # 管理信息，访问该URL可以查看nginx中的IP黑名单信息    location /get-ipblacklist-info {      access_by_lua_file conf/lua/get_ipblacklist_info.lua;    }       # 同步URL，通过定时任务调用该URL,实现IP黑名单从mysql到nginx的定时刷新    location /sync-ipblacklist {     access_by_lua_file conf/lua/sync_ipblacklist.lua;    }       # 生产域名配置，所有需要IP黑名单控制的location，都要包含以下语句    location / {     access_by_lua_file conf/lua/check_realip.lua;    }     }  

  * * * * * /usr/bin/curl -o /dev/null -s http://127.0.0.1/sync-ipblacklist > /dev/null 2>&1

  local mysql_host = "ip of mysql server"  local mysql_port = 3306  local database = "dbname"  local username = "user"  local password = "password"     -- update ip_blacklist from mysql once every cache_ttl seconds  local cache_ttl  = 1  local mysql_connection_timeout = 1000     local client_ip  = ngx.var.real_ip  local ip_blacklist  = ngx.shared.ip_blacklist  local last_update_time = ip_blacklist:get("last_update_time");     if last_update_time == nil or last_update_time < ( ngx.now() - cache_ttl ) then      local mysql = require "resty.mysql";   local red = mysql:new();      red:set_timeout(mysql_connect_timeout);      local ok, err, errcode, sqlstate = red:connect{       host = mysql_host,       port = mysql_port,       database = database,       user = username,       password = password,       charset = "utf8",       max_packet_size = 1024 * 1024,      }   if not ok then   ngx.log(ngx.ERR, "mysql connection error while retrieving ip_blacklist: " .. err);   else   new_ip_blacklist, err, errcode, sqlstate = red:query("select ip_addr from ip_blacklist where status = 0 order by create_time desc limit 10000", 100)   if not new_ip_blacklist then    ngx.log(ngx.ERR, "bad result. errcode: " .. errcode .. " sqlstate: " .. sqlstate .. " err: " .. err);    return   end      ip_blacklist:flush_all();   for k1, v1 in pairs(new_ip_blacklist) do    for k2, v2 in pairs(v1) do    ip_blacklist:set(v2,true);    end   end      ip_blacklist:set("last_update_time", ngx.now());   end  end     ngx.say("sync successful");  

  -- 调用URL查看黑名单信息  -- 1万IP消耗不到1.5M ngx.shared内存  -- 获取所有KEY会堵塞别的正常请求对ngx.shared内存的访问，因此只能取少数key展示  require "resty.core.shdict"  ngx.say("total space: " .. ngx.shared.ip_blacklist:capacity() .. "<br/>");  ngx.say("free space: " .. ngx.shared.ip_blacklist:free_space() .. "<br/>");  ngx.say("last update time: " .. os.date("%Y%m%d_%H:%M:%S",ngx.shared.ip_blacklist:get("last_update_time")) .. "<br/>");  ngx.say("first 100 keys: <br/>");  ngx.say("--------------------------<br/>");  ip_blacklist = ngx.shared.ip_blacklist:get_keys(100);  for key, value in pairs(ip_blacklist) do   ngx.say(key .. ": " .. value .. "<br/>");  end

  if ngx.shared.ip_blacklist:get(ngx.var.real_ip) then   return ngx.exit(ngx.HTTP_FORBIDDEN);  end

  CREATE TABLE `ip_blacklist` (   `id` int(11) NOT NULL AUTO_INCREMENT,   `ip_addr` varchar(15) COLLATE utf8mb4_bin DEFAULT NULL,   `status` int(11) DEFAULT '0' COMMENT '0: valid 有效, 1: invalid 失效',   `effective_hour` decimal(11,2) DEFAULT '24' COMMENT '有效期，单位：小时',   `ip_source` varchar(255) COLLATE utf8mb4_bin DEFAULT NULL COMMENT '黑名单来源',   `create_time` datetime DEFAULT CURRENT_TIMESTAMP,   `modify_time` datetime DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,   `remark` varchar(255) COLLATE utf8mb4_bin DEFAULT NULL COMMENT '备注',   PRIMARY KEY (`id`)  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin;        CREATE PROCEDURE proc_ip_blacklist_status_update()  -- 将过期的IP状态改为失效  begin    update ip_blacklist   set status=1   where date_add(create_time,INTERVAL effective_hour hour) < now();   commit;  end;        CREATE EVENT job_ip_blacklist_status_update  ON SCHEDULE EVERY 1 MINUTE  ON COMPLETION PRESERVE  ENABLE  DO  call proc_ip_blacklist_status_update();