Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to use lua for nginx redis access control". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. Demand analysis

\ 1. Nginx can deal with access control in a variety of ways and achieve a variety of effects, such as accessing IP segments, access content restrictions, access frequency restrictions and so on.

\ 2. Using Nginx+Lua+Redis as access restriction mainly considers the need of fast access control in high concurrency environment.

\ 3. The process of processing a request by Nginx is divided into 11 stages, which are:

Post-read 、 server-rewrite 、 find-config 、 rewrite 、 post-rewrite 、 preaccess 、 access 、 post-access 、 try-files 、 content 、 log.

In openresty, you can find:

Set_by_lua,access_by_lua,content_by_lua,rewrite_by_lua and other methods.

Then the access control should be the access phase.

Solution

According to normal logical thinking, the access control scheme that we will think of is as follows:

1. Is it detected by forbidden? = "Yes, whether the forbidden expires: yes, clear the record, return 200, normal access; No, return 403; =" No, return 200, normal access

two。 For each visit, the access frequency of the visiting user + 1 processing

3. Check whether the access frequency exceeds the limit. If you exceed the limit, add a forbidden record and return 403.

This is a simple solution, you can also add points of branches and leaves, access forbidden time is imported through the algorithm, each concave curve increases.

Realization method

First, add the vhost configuration file for nginx. The vhost.conf section is as follows:

Lua_package_path "/ usr/local/openresty/lualib/?.lua;;"; # tell openresty library address lua_package_cpath "/ usr/local/openresty/lualib/?.so;;"; error_log / usr/local/openresty/nginx/logs/openresty.debug.log debug;server {listen 8080 default; server_name www.ttlsa.com; root / www/openresty; location / login {default_type 'text/html' Access_by_lua_file "/ usr/local/openresty/nginx/lua/access_by_redis.lua"; # handle access control through lua}}

Access_by_redis.lua

Referring to the practice of v2ex.com, the redis storage scheme is sufficient to simply store string. The key are:

User login record: user:127.0.0.1:time (unix timestamp)

Access restrictions: block:127.0.0.1

Connect to Redis first:

Local red = redis:new () function M:redis () red:set_timeout (1000) local ok, err = red:connect ("127.0.0.1", 6379) if not ok then ngx.exit (ngx.HTTP_INTERNAL_SERVER_ERROR) endend

According to our logical scheme, the second step is to detect whether forbidden is found. If we find data, we will check whether the time has expired. If not, we will return 403 if it has not expired. Otherwise, we will directly return 200:

Function M:check1 () local time=os.time ()-- system timelocal res, err = red:get ("block:".. ngx.var.remote _ addr) if not res then-- redis error ngx.exit (ngx.HTTP_INTERNAL_SERVER_ERROR)-- redis get data error endif type (res) = = "string" then-- if red not null then type (red) = = string if tonumber (res) > = tonumber (time) then-check if forbidden expired ngx.exit (ngx.HTTP_FORBIDDEN)-ngx.say ("forbidden") endend}

Next, it will be tested whether the access frequency is too high, and if it is too high, it will be pulled to the blacklist.

The way to do this is to detect whether the value of user:127.0.0.1:time exceeds the standard:

Function M:check2 () local time=os.time ()-- system timelocal res, err = red:get ("user:".. ngx.var.remote _ addr.. ":".. time) if not res then-- redis error ngx.exit (ngx.HTTP_INTERNAL_SERVER_ERROR)-- redis get data errorendif type (res) = "string" then if tonumber (res) > = 10 then-- attack, 10 times request/s red:del ("block:" .self.ip) red:set ("block:" .self.ip) Tonumber (time) + 5'60)-- set block time ngx.exit (ngx.HTTP_FORBIDDEN) endendend

Finally, remember to make a self-growth of each visit time, user:127.0.0.1:time:

Function M:add () local time=os.time ()-- system timeok, err = red:incr ("user:".. ngx.var.remote _ addr.. ":".. time) if not ok then ngx.exit (ngx.HTTP_INTERNAL_SERVER_ERROR)-- redis get data errorendend

So, test, forcibly swipe the browser a few times, find out for a while, return to 403 focus ok, done.

This is the end of the content of "how to use lua for nginx redis access Control". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.