Nginx uses Lua+Redis to dynamically block IP

1. Background

In our daily website maintenance, we often encounter such a requirement. In order to block certain crawlers or malicious users' requests to the server, we need to establish a dynamic IP blacklist. For IPs in the blacklist, service is refused.

This article introduces how Nginx uses Lua+Redis to dynamically block IP addresses. Let’s take a look at the detailed introduction.

2. Architecture

There are many ways to implement IP blacklist functionality:

1. At the operating system level, configure iptables to reject network requests from the specified IP address.

2. At the Web Server level, configure the IP blacklist through Nginx's own deny option or the Lua plug-in;

3. At the application level, check whether the client IP is on the blacklist before requesting the service.

In order to facilitate management and sharing, we implement the IP blacklist function through the Nginx+Lua+Redis architecture. The architecture diagram is as follows:

Architecture diagram

3. Implementation

1. Install Nginx+Lua module. It is recommended to use OpenResty, which is an Nginx server that integrates various Lua modules:

OpenResty

2. Install and start the Redis server;

3. Configure Nginx example:

Nginx Configuration

in

lua_shared_dict ip_blacklist 1m;

The Nginx process allocates a 1M shared memory space to cache the IP blacklist, see:

https://github.com/openresty/lua-nginx-module#lua_shared_dict

access_by_lua_file lua/ip_blacklist.lua;

Specify the location of the lua script

4. Configure the Lua script to regularly obtain the latest IP blacklist from Redis. For the file content, see:

https://gist.github.com/Ceelog/39862d297d9c85e743b3b5111b7d44cb

lua script content

5. Create a new Set-type data ip_blacklist on the Redis server and add the latest IP blacklist.

After completing the above steps, reload nginx and the configuration will take effect.

If your IP address is in the blacklist, access will be denied when accessing the server:

access denied

IV. Conclusion

The above is the IP blacklist function implemented by Nginx+Lua+Redis, which has the following advantages:

1. Simple and lightweight configuration, with almost no impact on server performance;

2. Multiple servers can share blacklists through Redis instances;

3. Dynamic configuration: you can set the blacklist in Redis manually or in some automated way.

Well, the above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support of 123WORDPRESS.COM.