nginx限制请求之三：Nginx+Lua+Redis 对请求进行限制

一、概述

需求：所有访问/myapi/**的请求必须是POST请求，而且根据请求参数过滤不符合规则的非法请求(黑名单), 这些请求一律不转发到后端服务器(Tomcat)

实现思路：通过在Nginx上进行访问限制，通过Lua来灵活实现业务需求，而Redis用于存储黑名单列表。

相关nginx上lua或redis的使用方式可以参考我之前写的一篇文章:

=======================================================

一、概述：

1.研究目标：nginx中使用lua脚本，及nginx直接访问mysql,redis

2.需要安装的内容：

openresty,mysql,redis

3.OpenResty （也称为 ngx_openresty）是一个全功能的 Web 应用服务器。它打包了标准的 Nginx 核心，很多的常用的第三方模块，以及它们的大多数依赖项。http://openresty.org/cn/index.html

二、安装说明

0.环境准备

$yum install -y gcc gcc-c++ readline-devel pcre-devel openssl-devel tcl perl

1、安装drizzle http://wiki.nginx.org/HttpDrizzleModule

cd /usr/local/src/
wget http://openresty.org/download/drizzle7-2011.07.21.tar.gz
tar xzvf drizzle-2011.07.21.tar.gz
cd drizzle-2011.07.21/
./configure --without-server
make libdrizzle-1.0
make install-libdrizzle-1.0
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH

2、安装openresty
wget http://openresty.org/download/ngx_openresty-1.7.2.1.tar.gz
tar xzvf ngx_openresty-1.7.2.1.tar.gz
cd ngx_openresty-1.7.2.1/
./configure --with-http_drizzle_module
gmake
gmake install

三、nginx配置nginx.conf

/usr/local/openresty/nginx/conf/nginx.conf

# 添加MySQL配置(drizzle)
upstream backend {
drizzle_server 127.0.0.1:3306 dbname=test user=root password=123456 protocol=mysql;
drizzle_keepalive max=200 overflow=ignore mode=single;
}

server {
listen 80;
server_name localhost;

#charset koi8-r;
#access_log logs/host.access.log main;

location / {
        root   html;
        index index.html index.htm;
    }

location /lua {
        default_type text/plain;
        content_by_lua 'ngx.say("hello, lua")';
    }

location /lua_redis {
        default_type text/plain;
        content_by_lua_file /usr/local/lua_test/redis_test.lua;
    }

location /lua_mysql {
            default_type text/plain;
            content_by_lua_file /usr/local/lua_test/mysql_test.lua;
    }

location @cats-by-name {
        set_unescape_uri $name $arg_name;
        set_quote_sql_str $name;
        drizzle_query 'select * from cats where name=$name';
        drizzle_pass backend;
        rds_json on;
    }

location @cats-by-id {
        set_quote_sql_str $id $arg_id;
        drizzle_query 'select * from cats where id=$id';
        drizzle_pass backend;
        rds_json on;
    }

location = /cats {
        access_by_lua '
            if ngx.var.arg_name then
                return ngx.exec("@cats-by-name")
            end

if ngx.var.arg_id then
                return ngx.exec("@cats-by-id")
            end
        ';

rds_json_ret 400 "expecting \"name\" or \"id\" query arguments";
}

# 通过url匹配出name，并编码防止注入，最后以json格式输出结果
    location ~ '^/mysql/(.*)' {
        set $name $1;
        set_quote_sql_str $quote_name $name;
        set $sql "SELECT * FROM cats WHERE name=$quote_name";
        drizzle_query $sql;
        drizzle_pass backend;
        rds_json on;
    }

# 查看MySQL服务状态
    location /mysql-status {
        drizzle_status;
    }
}

四、lua测试脚本

/usr/local/lua_test/redis_test.lua

local redis = require "resty.redis"

local cache = redis.new()

cache.connect(cache, '127.0.0.1', '6379')

local res = cache:get("foo")

if res==ngx.null then

    ngx.say("This is Null")

    return

end

ngx.say(res)

/usr/local/lua_test/mysql_test.lua

local mysql = require "resty.mysql"

local db, err = mysql:new()

if not db then

    ngx.say("failed to instantiate mysql: ", err)

    return

end

db:set_timeout(1000) -- 1 sec

-- or connect to a unix domain socket file listened

-- by a mysql server:

--     local ok, err, errno, sqlstate =

--           db:connect{

--              path = "/path/to/mysql.sock",

--              database = "ngx_test",

--              user = "ngx_test",

--              password = "ngx_test" }

local ok, err, errno, sqlstate = db:connect{

    host = "127.0.0.1",

    port = 3306,

    database = "test",

    user = "root",

    password = "123456",

    max_packet_size = 1024 * 1024 }

if not ok then

    ngx.say("failed to connect: ", err, ": ", errno, " ", sqlstate)

    return

end

ngx.say("connected to mysql.")

local res, err, errno, sqlstate =

    db:query("drop table if exists cats")

if not res then

    ngx.say("bad result: ", err, ": ", errno, ": ", sqlstate, ".")

    return

end

res, err, errno, sqlstate =

    db:query("create table cats "

             .. "(id serial primary key, "

             .. "name varchar(5))")

if not res then

    ngx.say("bad result: ", err, ": ", errno, ": ", sqlstate, ".")

    return

end

ngx.say("table cats created.")

res, err, errno, sqlstate =

    db:query("insert into cats (name) "

             .. "values (\'Bob\'),(\'\'),(null)")

if not res then

    ngx.say("bad result: ", err, ": ", errno, ": ", sqlstate, ".")

    return

end

ngx.say(res.affected_rows, " rows inserted into table cats ",

        "(last insert id: ", res.insert_id, ")")

-- run a select query, expected about 10 rows in

-- the result set:

res, err, errno, sqlstate =

    db:query("select * from cats order by id asc", 10)

if not res then

    ngx.say("bad result: ", err, ": ", errno, ": ", sqlstate, ".")

    return

end

local cjson = require "cjson"

ngx.say("result: ", cjson.encode(res))

-- put it into the connection pool of size 100,

-- with 10 seconds max idle timeout

local ok, err = db:set_keepalive(10000, 100)

if not ok then

    ngx.say("failed to set keepalive: ", err)

    return

end

-- or just close the connection right away:

-- local ok, err = db:close()

-- if not ok then

--     ngx.say("failed to close: ", err)

--     return

-- end

';

五、验证结果

curl测试

$ curl 'http://127.0.0.1/lua_test'
hello, lua

$ redis-cli set foo 'hello,lua-redis'
OK
$ curl 'http://127.0.0.1/lua_redis'
hello,lua-redis

$ curl 'http://127.0.0.1/lua_mysql'
connected to mysql.
table cats created.
3 rows inserted into table cats (last insert id: 1)
result: [{"name":"Bob","id":"1"},{"name":"","id":"2"},{"name":null,"id":"3"}]

$ curl 'http://127.0.0.1/cats'
{"errcode":400,"errstr":"expecting \"name\" or \"id\" query arguments"}

$ curl 'http://127.0.0.1/cats?name=bob'
[{"id":1,"name":"Bob"}]

$ curl 'http://127.0.0.1/cats?id=2'
[{"id":2,"name":""}]

$ curl 'http://127.0.0.1/mysql/bob'
[{"id":1,"name":"Bob"}]

$ curl 'http://127.0.0.1/mysql-status'
worker process: 32261

upstream backend
active connections: 0
connection pool capacity: 0
servers: 1
peers: 1

六、参考资料

1.openresty http://openresty.org/cn/index.html

2.tengine http://tengine.taobao.org/documentation_cn.html

如何安装nginx_lua_module模块
http://www.cnblogs.com/yjf512/archive/2012/03/27/2419577.html

nginx+lua 项目使用记（二）
http://blog.chinaunix.net/uid-26443921-id-3213879.html

nginx_lua模块基于mysql数据库动态修改网页内容
https://www.centos.bz/2012/09/nginx-lua-mysql-dynamic-modify-content/

突破log_by_lua中限制Cosocket API的使用
http://17173ops.com/2013/11/11/resolve-cosocket-api-limiting-in-log-by-lua.shtml

17173 Ngx_Lua使用分享
http://17173ops.com/2013/11/01/17173-ngx-lua-manual.shtml

关于 OPENRESTY 的两三事
http://zivn.me/?p=157

Nginx_Lua
http://www.ttlsa.com/nginx/nginx-lua/

Nginx 第三方模块-漫谈缘起
http://www.cnblogs.com/yjf512/archive/2012/03/30/2424726.html

CentOS6.4 安装OpenResty和Redis 并在Nginx中利用lua简单读取Redis数据
http://www.cnblogs.com/kgdxpr/p/3550633.html

Nginx与Lua
http://huoding.com/2012/08/31/156

由Lua 粘合的Nginx生态环境
http://blog.zoomquiet.org/pyblosxom/oss/openresty-intro-2012-03-06-01-13.html

Nginx 第三方模块试用记
http://chenxiaoyu.org/2011/10/30/nginx-modules.html

agentzh 的 Nginx 教程（版本 2013.07.08）
http://openresty.org/download/agentzh-nginx-tutorials-zhcn.html

CentOS下Redis 2.2.14安装配置详解
http://www.cnblogs.com/hb_cattle/archive/2011/10/22/2220907.html

nginx安装
http://blog.csdn.net/gaojinshan/article/details/37603157

=======================================================

二、具体实现

1.lua代码

本例中限制规则包括(post请求，ip地址黑名单，请求参数中imsi,tel值和黑名单)

 1 -- access_by_lua_file '/usr/local/lua_test/my_access_limit.lua';

 2 ngx.req.read_body()

 3

 4 local redis = require "resty.redis"

 5 local red = redis.new()

 6 red.connect(red, '127.0.0.1', '6379')

 7

 8 local myIP = ngx.req.get_headers()["X-Real-IP"]

 9 if myIP == nil then

10    myIP = ngx.req.get_headers()["x_forwarded_for"]

11 end

12 if myIP == nil then

13    myIP = ngx.var.remote_addr

14 end

15

16 if ngx.re.match(ngx.var.uri,"^(/myapi/).*$") then

17     local method = ngx.var.request_method

18     if method == 'POST' then

19         local args = ngx.req.get_post_args()

20

21         local hasIP = red:sismember('black.ip',myIP)

22         local hasIMSI = red:sismember('black.imsi',args.imsi)

23         local hasTEL = red:sismember('black.tel',args.tel)

24         if hasIP==1 or hasIMSI==1 or hasTEL==1 then

25             --ngx.say("This is 'Black List' request")

26             ngx.exit(ngx.HTTP_FORBIDDEN)

27         end

28     else

29         --ngx.say("This is 'GET' request")

30         ngx.exit(ngx.HTTP_FORBIDDEN)

31     end

32 end

2.nginx.conf

location / {
root html;
index index.html index.htm;

access_by_lua_file /usr/local/lua_test/my_access_limit.lua;

proxy_pass http://127.0.0.1:8080;
client_max_body_size 1m;
}

3.添加黑名单规则数据

#redis-cli sadd black.ip '153.34.118.50'
#redis-cli sadd black.imsi '460123456789'
#redis-cli sadd black.tel '15888888888'

可以通过redis-cli smembers black.imsi 查看列表明细

4.验证结果

#curl -d "imsi=460123456789&tel=15800000000" "http://www.mysite.com/myapi/abc"

秒客网