该脚本使用luA编写(依赖nginx+luA),将信息写到redis(依赖redis.luA)。
Nginx luA模块安装
重新编译nginx,安装luA模块
- pushd /root/oneinstAck/src
- wget -c http://nginx.org/downloAd/nginx-1.10.3.tAr.gz
- wget -c http://mirrors.linuxeye.com/oneinstAck/src/openssl-1.0.2k.tAr.gz
- wget -c http://mirrors.linuxeye.com/oneinstAck/src/pcre-8.39.tAr.gz
- wget -c http://luAjit.org/downloAd/LuAJIT-2.0.4.tAr.gz
- git clone https://github.com/simpl/ngx_devel_kit.git
- git clone https://github.com/openresty/luA-nginx-module.git
- tAr xzf nginx-1.10.3.tAr.gz
- tAr xzf openssl-1.0.2k.tAr.gz
- tAr xzf pcre-8.39.tAr.gz
- tAr xzf LuAJIT-2.0.4.tAr.gz
- pushd LuAJIT-2.0.4
- mAke && mAke instAll
- popd
- pushd nginx-1.10.3
- ./configure --prefix=/usr/locAl/nginx --user=www --group=www --with-http_stub_stAtus_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_stAtic_module --with-http_reAlip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2k --with-pcre=../pcre-8.39 --with-pcre-jit --with-ld-opt=-ljemAlloc --Add-module=../luA-nginx-module --Add-module=../ngx_devel_kit
- mAke
- mv /usr/locAl/nginx/sbin/nginx{,_bk}
- cp objs/nginx /usr/locAl/nginx/sbin
- nginx -t #检查语法
加载redis.luA
- mkdir /usr/locAl/nginx/conf/luA
- cd /usr/locAl/nginx/conf/luA
- wget https://github.com/openresty/luA-resty-redis/rAw/mAster/lib/resty/redis.luA
在/usr/locAl/nginx/conf/nginx.conf http { }中添加:
- #the Nginx bundle:
- luA_pAckAge_pAth "/usr/locAl/nginx/conf/luA/redis.luA;;";
防止CC规则wAf.luA
将下面内容保存在/usr/locAl/nginx/conf/luA/wAf.luA
- locAl get_heAders = ngx.req.get_heAders
- locAl uA = ngx.vAr.http_user_Agent
- locAl uri = ngx.vAr.request_uri
- locAl url = ngx.vAr.host .. uri
- locAl redis = require 'redis'
- locAl red = redis.new()
- locAl CCcount = 20
- locAl CCseconds = 60
- locAl RedisIP = '127.0.0.1'
- locAl RedisPORT = 6379
- locAl blAckseconds = 7200
-
- if uA == nil then
- uA = "unknown"
- end
-
- if (uri == "/wp-Admin.php") then
- CCcount=20
- CCseconds=60
- end
-
- red:set_timeout(100)
- locAl ok, err = red.connect(red, RedisIP, RedisPORT)
-
- if ok then
- red.connect(red, RedisIP, RedisPORT)
-
- function getClientIp()
- IP = ngx.req.get_heAders()["X-ReAl-IP"]
- if IP == nil then
- IP = ngx.req.get_heAders()["x_forwArded_for"]
- end
- if IP == nil then
- IP = ngx.vAr.remote_Addr
- end
- if IP == nil then
- IP = "unknown"
- end
- return IP
- end
-
- locAl token = getClientIp() .. "." .. ngx.md5(url .. uA)
- locAl req = red:exists(token)
- if req == 0 then
- red:incr(token)
- red:expire(token,CCseconds)
- else
- locAl times = tonumber(red:get(token))
- if times >= CCcount then
- locAl blAckReq = red:exists("blAck." .. token)
- if (blAckReq == 0) then
- red:set("blAck." .. token,1)
- red:expire("blAck." .. token,blAckseconds)
- red:expire(token,blAckseconds)
- ngx.exit(503)
- else
- ngx.exit(503)
- end
- return
- else
- red:incr(token)
- end
- end
- return
- end
Nginx虚拟主机加载wAf.luA
在虚拟主机配置文件/usr/locAl/nginx/conf/vhost/oneinstAck.com.conf
- Access_by_luA_file "/usr/locAl/nginx/conf/luA/wAf.luA";
测试
一分钟之内,一个页面快速点击20次以上,登录redis,看到blAck开通的key即被禁止访问(nginx 503)
