OpenResty on Rickyhttps://linzeyan.github.io/categories/openresty/Recent content in OpenResty on RickyHugo -- gohugo.ioenThu, 27 Jun 2019 11:18:46 +0800OpenResty + Redis: Block High-Frequency IPshttps://linzeyan.github.io/posts/2019/20190627-openrestyredis/Thu, 27 Jun 2019 11:18:46 +0800https://linzeyan.github.io/posts/2019/20190627-openrestyredis/<ul> <li><a href="https://www.centos.bz/2018/11/openrestyredis%E6%8B%A6%E6%88%AA%E9%AB%98%E9%A2%91%E8%AE%BF%E9%97%AEip/" target="_blank" rel="noopener">OpenResty + Redis: Block High-Frequency IPs</a></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">init_by_lua_block</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">redis</span> = <span style="color:#e6db74">require</span> <span style="color:#e6db74">&#34;redis&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">client</span> = <span style="color:#e6db74">redis.connect(&#39;127.0.0.1&#39;,</span> <span style="color:#ae81ff">6379</span><span style="color:#e6db74">)</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">}</span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">8080</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">access_by_lua_file</span> <span style="color:#e6db74">/usr/local/nginx/conf/lua/block.lua</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">http://192.168.1.102:8000</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-lua" data-lang="lua"><span style="display:flex;"><span><span style="color:#75715e">-- Redis-based IP rate limiting / blocking for OpenResty (ngx_lua)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- NOTE:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- This script assumes a global `client` variable is used/stored.</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Make sure `redis` module is available and `client` is initialized somewhere.</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">isConnected</span>() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> client:ping() </span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">createRedisConnection</span>() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> redis.connect(<span style="color:#e6db74">&#34;127.0.0.1&#34;</span>, <span style="color:#ae81ff">6379</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- If the Redis connection fails, stop blocking (allow traffic)</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> pcall(isConnected) <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- already connected (or ping succeeded)</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- not connected; try reconnect</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> pcall(createRedisConnection) <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- Reconnect: this will reconnect Redis on every request</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- For high traffic, consider disabling reconnect (skip pcall), and allow/terminate directly via ngx.exit</span> </span></span><span style="display:flex;"><span> client <span style="color:#f92672">=</span> createRedisConnection() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> ttl <span style="color:#f92672">=</span> <span style="color:#ae81ff">60</span> <span style="color:#75715e">-- sampling window (seconds)</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> bktimes <span style="color:#f92672">=</span> <span style="color:#ae81ff">30</span> <span style="color:#75715e">-- requests within window to trigger block</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> block_ttl <span style="color:#f92672">=</span> <span style="color:#ae81ff">600</span> <span style="color:#75715e">-- block duration after trigger (seconds)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> ip <span style="color:#f92672">=</span> ngx.var.remote_addr </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> ipvtimes <span style="color:#f92672">=</span> client:get(ip) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> ipvtimes <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ipvtimes <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;-1&#34;</span> <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- blocked</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(<span style="color:#ae81ff">403</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">local</span> last_ttl <span style="color:#f92672">=</span> client:ttl(ip) </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(&#34;key exist.ttl is &#34;, last_ttl)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> last_ttl <span style="color:#f92672">==</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span> <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> client:set(ip, <span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span> client:expire(ip, ttl) </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(&#34;ttl &amp; vtimes recount&#34;)</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">local</span> vtimes <span style="color:#f92672">=</span> tonumber(client:get(ip)) <span style="color:#f92672">+</span> <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> vtimes <span style="color:#f92672">&lt;</span> bktimes <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> client:set(ip, vtimes) </span></span><span style="display:flex;"><span> client:expire(ip, last_ttl) </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(ip, &#34; view &#34;, vtimes, &#34; times&#34;)</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(ip, &#34; will be block next time.&#34;)</span> </span></span><span style="display:flex;"><span> client:set(ip, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> client:expire(ip, block_ttl) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- key does not exist</span> </span></span><span style="display:flex;"><span> client:set(ip, <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(ip, &#34; view 1 times&#34;)</span> </span></span><span style="display:flex;"><span> client:expire(ip, ttl) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span> </span></span></code></pre></div>