https://wiki.linuxsa.org/index.php?action=history&feed=atom&title=Nginx_Lua_Redis%E9%98%B2%E6%AD%A2CC%E6%94%BB%E5%87%BB
Nginx Lua Redis防止CC攻击 - 版本历史
2026-04-23T09:30:18Z
本wiki上该页面的版本历史
MediaWiki 1.43.1
https://wiki.linuxsa.org/index.php?title=Nginx_Lua_Redis%E9%98%B2%E6%AD%A2CC%E6%94%BB%E5%87%BB&diff=733&oldid=prev
Evan:导入1个版本
2019-10-14T13:52:28Z
<p>导入1个版本</p>
<p><b>新页面</b></p><div>=原理=<br />
Nginx Lua Redis防止CC攻击实现原理:同一个外网IP、同一个网址(ngx.var.request_uri)、同一个客户端(http_user_agent)在某一段时间(CCseconds)内访问某个网址(ngx.var.request_uri)超过指定次数(CCcount),则禁止这个外网IP+同一个客户端(md5(IP+ngx.var.http_user_agent)访问这个网址(ngx.var.request_uri)一段时间(blackseconds)。<br />
<br />
该脚本使用lua编写(依赖nginx+lua),将信息写到redis(依赖redis.lua)。<br />
<br />
<br />
=Nginx lua模块安装=<br />
重新编译nginx,安装lua模块,或者直接使用《OneinStack》安装OpenResty自带改模块<br />
<br />
<pre><br />
pushd /root/oneinstack/src<br />
wget -c http://nginx.org/download/nginx-1.12.1.tar.gz<br />
wget -c http://mirrors.linuxeye.com/oneinstack/src/openssl-1.0.2l.tar.gz<br />
wget -c http://mirrors.linuxeye.com/oneinstack/src/pcre-8.41.tar.gz<br />
wget -c http://luajit.org/download/LuaJIT-2.0.5.tar.gz<br />
git clone https://github.com/simpl/ngx_devel_kit.git<br />
git clone https://github.com/openresty/lua-nginx-module.git<br />
tar xzf nginx-1.12.1.tar.gz<br />
tar xzf openssl-1.0.2l.tar.gz<br />
tar xzf pcre-8.41.tar.gz<br />
tar xzf LuaJIT-2.0.5.tar.gz<br />
pushd LuaJIT-2.0.5<br />
make && make install<br />
popd<br />
pushd nginx-1.12.1<br />
./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2l --with-pcre=../pcre-8.41 --with-pcre-jit --with-ld-opt=-ljemalloc --add-module=../lua-nginx-module --add-module=../ngx_devel_kit<br />
make<br />
mv /usr/local/nginx/sbin/nginx{,_bk}<br />
cp objs/nginx /usr/local/nginx/sbin<br />
nginx -t #检查语法<br />
</pre><br />
<br />
加载redis.lua<br />
<pre>mkdir /usr/local/nginx/conf/lua<br />
cd /usr/local/nginx/conf/lua<br />
wget https://github.com/openresty/lua-resty-redis/raw/master/lib/resty/redis.lua</pre><br />
<br />
在/usr/local/nginx/conf/nginx.conf http { }中添加:<br />
<br />
the Nginx bundle:<br />
lua_package_path "/usr/local/nginx/conf/lua/redis.lua;;";<br />
<br />
防止CC规则waf.lua<br />
<pre>#将下面内容保存在/usr/local/nginx/conf/lua/waf.lua<br />
<br />
local get_headers = ngx.req.get_headers<br />
local ua = ngx.var.http_user_agent<br />
local uri = ngx.var.request_uri<br />
local url = ngx.var.host .. uri<br />
local redis = require 'redis'<br />
local red = redis.new()<br />
local CCcount = 20<br />
local CCseconds = 60<br />
local RedisIP = '127.0.0.1'<br />
local RedisPORT = 6379<br />
local blackseconds = 7200<br />
if ua == nil then<br />
ua = "unknown"<br />
end<br />
if (uri == "/wp-admin.php") then<br />
CCcount=20<br />
CCseconds=60<br />
end<br />
red:set_timeout(100)<br />
local ok, err = red.connect(red, RedisIP, RedisPORT)<br />
if ok then<br />
red.connect(red, RedisIP, RedisPORT)<br />
function getClientIp()<br />
IP = ngx.req.get_headers()["X-Real-IP"]<br />
if IP == nil then<br />
IP = ngx.req.get_headers()["x_forwarded_for"]<br />
end<br />
if IP == nil then<br />
IP = ngx.var.remote_addr<br />
end<br />
if IP == nil then<br />
IP = "unknown"<br />
end<br />
return IP<br />
end<br />
local token = getClientIp() .. "." .. ngx.md5(url .. ua)<br />
local req = red:exists(token)<br />
if req == 0 then<br />
red:incr(token)<br />
red:expire(token,CCseconds)<br />
else<br />
local times = tonumber(red:get(token))<br />
if times >= CCcount then<br />
local blackReq = red:exists("black." .. token)<br />
if (blackReq == 0) then<br />
red:set("black." .. token,1)<br />
red:expire("black." .. token,blackseconds)<br />
red:expire(token,blackseconds)<br />
ngx.exit(580)<br />
else<br />
ngx.exit(580)<br />
end<br />
return<br />
else<br />
red:incr(token)<br />
end<br />
end<br />
return<br />
end</pre><br />
<br />
<br />
Nginx虚拟主机加载waf.lua<br />
在虚拟主机配置文件/usr/local/nginx/conf/vhost/oneinstack.com.conf<br />
<br />
access_by_lua_file "/usr/local/nginx/conf/lua/waf.lua";<br />
<br />
=测试=<br />
<br />
=see also=<br />
[https://blog.linuxeye.cn/453.html Nginx Lua Redis防止CC攻击]<br />
<br />
[[category:ops]] [[category:nginx]]</div>
Evan