Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "how to configure blacklist or whitelist function for Nginx server". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

First, define the blacklist or whitelist method:

1. Configuration format

Configure storage space for keyword blacklist or whitelist files

White_black_list_conf conf/white.list zone=white:2m

| | |

|-- the size of storage space here is 2m. The space size determines the capacity of the blacklist and whitelist.

| |-Storage space name |

| |-blacklist or whitelist configuration file path |

-configuration command

two。 Configure the keyword white_black_list_conf.

3. Can only be used in http {}

4. White_black_list_conf can be configured with multiple zone=value as long as the value in it is different.

5. Example configuration:

Http {. White_black_list_conf conf/white.list zone=white:4m; white_black_list_conf conf/black.list zone=black:4m;. Server {. }.}

II. Scope of action of blacklist and whitelist

1. Configuration format

Configure the keyword on/off

The configuration keywords are: white_list and black_list are used to represent whitelist and blacklist, respectively.

two。 It can be used under http {}, server {} and location {}. The function is disabled by default.

3. Example configuration:

Http {. White_black_list_conf conf/white.list zone=white1:4m; white_black_list_conf conf/black.list zone=black1:4m; white_list white1 on; # whitelist white1 enables black_list black1 on; # blacklist black1 in the entire http {} server {. }.} http {. White_black_list_conf conf/white.list zone=white2:4m; white_black_list_conf conf/black.list zone=black2:4m; server {. White_list white2 on; # whitelist white1 is enabled throughout server {} black_list black2 on; # blacklist black1 is enabled throughout server {}. }.} http {. White_black_list_conf conf/white.list zone=white3:4m; white_black_list_conf conf/black.list zone=black3:4m; white_black_list_conf conf/black.list zone=black2:4m; white_black_list_conf conf/white.list zone=white2:4m; server {. Location / do {. White_list white3 on; # whitelist white3 opens in location / do {} black_list black3 on; # blacklist black3 opens in location / do {}. } location / do1 {white_list white2 on; # whitelist white2 is enabled throughout server {} black_list black2 on; # blacklist black2 is enabled throughout server {}. }.}

4.http configuration API description:

(1) configure the interface

Http {. Server {. Location / sec_config {sec_config on;}. }.}

(2) configuration method:

A. http://xxx/sec_config to check the definition of blacklist and whitelist

The returned result is as follows

{"version": "nginx/1.3.0", "code": "0", "item": {"conf_type": "white_black_list_conf", "zone_name": "white", "list_path": "/ home/john/nginx/conf/white.list"} "item": {"conf_type": "white_black_list_conf", "zone_name": "black", "list_path": "/ home/john/nginx/conf/black.list"}, "item": {"conf_type": "white_black_list_conf", "zone_name": "ex" "list_path": "/ home/john/nginx/conf/status_ex"}}

B. Http://xxx/sec_config?zone_name=white to view the details in the list_path whose zone_name is white

C. Http://xxx/sec_config?zone_name=white&add_item=192.168.141.23 added 192.168.141.23 to zone_name as white

D. Http://xxx/sec_config?zone_name=white&delete_item=192.168.141.23 delete 192.168.141.23 when zone_name is white

View configuration method 2:

Http://xxx/sec_config?for_each

III. Contents of blacklist and whitelist documents

The content of conf/black.list file is as follows

2.2.2.2192.168.141.13.3.3.34.4.4.52.3.4.4

IV. Dynamic blacklist

To use this feature, you must patch the ngx_http_limit_req_module.c

In ngx_http_limit_req_module.c

Add # include

And modify the code to find:

"if (rc = = ngx_busy) {ngx_log_error (lrcf- > limit_log_level, r-> connection- > log, 0," limiting requests, excess:% ui.ui by zone\ "v\", excess / 1000, excess% 1000, & limit- > shm_zone- > shm.name); "

Add under it:

Ngx_black_add_item_interface (r, 1)

Equipped with keywords:

Dyn_black

Format:

Dyn_black $zone_name time

For example:

Dyn_black black 60; / / disable access for 60 seconds, then automatically remove it after 60 seconds

Note:

Black_list must be configured

Example configuration:

Http {.... White_black_list_conf conf/black.list zone=black:4m; limit_req_zone $binary_remote_addr zone=one:8m rate=4r/s;... Server {location / {black_list black on; limit_req zone=one burst=6; dyn_black black 60; / / disable access for 60 seconds, then automatically remove...} location / xxx {sec_config on;}...}.

Ps: ngx_lua_waf Firewall based on lua-nginx-module

Project address: https://github.com/loveshell/ngx_lua_waf?utm_source=tuicool&utm_medium=referral

Recommended installation:

It is recommended to use lujit2.1 for lua support

For ngx_lua version 0.9.2 or above, it is recommended that the regular filtering function be changed to ngx.re.find, which will improve the matching efficiency by about three times.

Instructions for use:

The nginx installation path is assumed to be / usr/local/nginx/conf/

Download ngx_lua_waf to the conf directory, decompress it and name it waf

Add to the http section of nginx.conf

Lua_package_path "/ usr/local/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file / usr/local/nginx/conf/waf/init.lua; access_by_lua_file / usr/local/nginx/conf/waf/waf.lua

Configure the waf rule directory in config.lua (usually under the waf/conf/ directory)

Rulepath = "/ usr/local/nginx/conf/waf/wafconf/"

If there is any change in the absolute path, it needs to be modified accordingly.

Then restart nginx.

The configuration file details:

Rulepath = "/ usr/local/nginx/conf/waf/wafconf/"

-- regular storage directory

Attacklog = "off"

-- whether to enable the recording of attack information. You need to configure logdir.

Logdir = "/ usr/local/nginx/logs/hack/"

-- log storage directory, which needs to be created by the user, and the writable permission of the nginx user is required.

Urldeny= "on"

-- whether to block url access

Redirect= "on"

-- whether to redirect after interception

Cookiematch = "on"

-- whether to block cookie attacks

Postmatch = "on"

-- whether to block post attacks

Whitemodule = "on"

-- whether to open the url whitelist

Ipwhitelist= {"127.0.0.1"}

-- ip whitelist, with multiple ip separated by commas

Ipblocklist= {"1.0.0.1"}

-- ip blacklist, with multiple ip separated by commas

Ccdeny= "on"

-- whether to enable blocking cc attacks (need to add lua_shared_dict limit 10m to the http segment of nginx.conf;)

Ccrate = "100max 60"

-- sets the frequency of cc attacks in seconds.

-- by default, the same ip can only request the same address 100 times per minute.

Html= [[please go away~~]]

-- warning content, which can be customized in square brackets

Remarks: do not touch double quotation marks, case sensitive

Check whether the rules are in force

After deployment, you can try the following command:

Curl http://xxxx/test.php?id=../etc/passwd

Return the word "please go away~~" to indicate that the rule is in effect.

Note: by default, this machine is not filtered on the whitelist, and the config.lua configuration can be adjusted by itself.

Rule updates:

Considering regular caching problems, dynamic rules can affect performance, so things like shared memory dictionaries and redis are not used for dynamic management for the time being.

Rule updates can place rule files on other servers, update rules through regular downloads of crontab tasks, and nginx reload will take effect. To ensure the high performance of ngx lua waf.

Only record the filter log, do not turn on the filter, and add a comment before check in the code. If you need to filter, vice versa

Some instructions:

Filter rules under wafconf can be adjusted according to the needs. Each rule needs to be changed or split with |

Global is a globally filtered file, and the rules in it filter both post and get

Get is a rule that filters requests only in get

Post is a rule that filters requests only in post

Whitelist is a whitelist, and the url in it matches to no filtering.

User-agent is the filtering rule for user-agent

Get and post filtering are enabled by default. If you need to enable cookie filtering, edit the waf.lua cancellation section-- comment.

The log file name format is as follows: virtual hostname _ sec.log

This is the end of the content of "how to configure blacklist or whitelist function for Nginx server". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.