nginx拒絕國外IP訪問

nginx拒絕國外IP訪問方法很多，比如iptables，geoip模塊，域名解析等等。這些方法不會相互沖突，可以結合起來一起使用。

 

今天來教大家利用兩個小方法解決  域名解析禁止掉海外IP訪問網站。

域名解析方法：

絕大多數域名解析服務商都是提供電信聯通移動海外線路區分解析的，所以我們可以充分利用這個功能，來禁止海外訪問。

以阿里雲DNS解析為例：

       設置A記錄類型

       解析線路：境外

       記錄值：127.0.0.1
 

       設置后等30分鍾后我們再用ping工具測試下境外解析，就會發現所有的海外線路都會解析至127.0.0.1這個IP上，為什么是127.0.0.1呢？因為這個是本地IP，如果有攻擊海外肉雞攻擊這個網站，就會自己攻擊自己。

 

 

結合我寫的另外一個方法：

用腳本每周更新國外IP庫，利用nginx deny功能直接拒絕這些IP地址。

#添加到crontab
0 0 * * 5 /bin/bash /root/tools/black_nginx.sh

代碼內容

#!/bin/bash

rm -f legacy-apnic-latest black_`date +%F`.conf && wget http://ftp.apnic.net/apnic/stats/apnic/legacy-apnic-latest

awk -F '|' '{if(NR>2)printf("%s %s/%d%s\n","deny",$4,24,";")}' legacy-apnic-latest > black_`date +%F`.conf && rm -f /usr/local/nginx/conf/black.conf && ln -s $PWD/black_`date +%F`.conf /usr/local/nginx/conf/black.conf && /etc/init.d/nginx reload

 在nginx主配置文件的http段include black.conf; 這樣此服務器所有網站都拒絕這些IP

 

經過學習更新一個方法,使用openresty：

官方下載地址：http://openresty.org/cn/download.html

推薦幾個waf模塊  https://github.com/unixhot/waf

                             https://github.com/loveshell/ngx_lua_waf

 

下載完waf模塊，把waf文件夾移動到/usr/local/openresty/nginx/conf/

git clone https://github.com/unixhot/waf.git
cp -a ./waf/waf /usr/local/openresty/nginx/conf/

或者

cd /usr/local/openresty/server/nginx/conf
git clone https://github.com/loveshell/ngx_lua_waf.git
mv ngx_lua_waf waf

在主配置文件夾內引入

vim /usr/local/openresty/nginx/conf/nginx.conf
...
http {
lua_shared_dict limit 10m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
...
}

 

啟動報錯

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
    no field package.preload['resty.core']
    no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua'
    no file '/usr/local/openresty/site/lualib/resty/core.so'
    no file '/usr/local/openresty/lualib/resty/core.so'
    no file './resty/core.so'
    no file '/usr/local/lib/lua/5.1/resty/core.so'
    no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
    no file '/usr/local/lib/lua/5.1/loadall.so'
    no file '/usr/local/openresty/site/lualib/resty.so'
    no file '/usr/local/openresty/lualib/resty.so'
    no file './resty.so'
    no file '/usr/local/lib/lua/5.1/resty.so'
    no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
    no file '/usr/local/lib/lua/5.1/loadall.so')

或者

failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua'
no file '/usr/local/openresty/site/lualib/resty/core.so'
no file '/usr/local/openresty/lualib/resty/core.so'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so') in /usr/local/openresty/nginx/conf/nginx.conf:130

　　解決辦法

ln -s /usr/local/openresty/server/lualib /usr/local/lib/lua
ln -s /usr/local/openresty/server/lualib/resty /usr/local/openresty/server/nginx/conf/waf/resty

https://www.cnblogs.com/cheyunhua/p/13395745.html

https://www.jianshu.com/p/bffbd9bc4c53