11 Nginx + Lua

发表于 | 分类于


Lua 脚本基础语法

1
Lua 是一种简洁、轻量、可扩展的脚本语言
1
2
3
4
5
# Nginx+Lua优势
充分的结合Nginx的并发处理epool优势和Lua的轻量实现简单的功能且高并发的场景
统计IP
统计用户信息
安全WAF

安装 lua

1
2
# CentOS 7.4 默认安装好
[root@proxy conf.d]# yum install lua

lua 的运行方式

1
2
3
4
5
6
1. 交互式

[root@proxy conf.d]# lua
Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio
> print('hello world')
hello world
1
2
3
4
5
6
7
8
2. 非交互式,文件执行

[root@proxy conf.d]# vim test.lua
#!/usr/bin/lua
print("hello world")

[root@proxy conf.d]# lua test.lua 
hello world

lua 的注释

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# -- 行注释

#!/usr/bin/lua
-- print("hello world")
print("hello leo")


# 块注释 --[[ ... --]]

#!/usr/bin/lua

--[[
print("hello world")
print("hello leo")
--]]

print("hello lex")

变量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@proxy conf.d]# vim test.lua 

#!/usr/bin/lua

--[[
print("hello world")
print("hello leo")
--]]

print("hello lex")

name = 'leo'
age = 28

print("My name is:",name)
print(age)

# 布尔类型只有nil和false
# 数字0,空字符串  都是true
# lua中的变量如果没有特殊说明,	全是全局变量

while 循环语句

1
2
3
4
5
# 语法
while ... do
...
end
# Lua没有++或是+=这样的操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@proxy conf.d]# vim while100.lua

#!/usr/bin/lua
sum = 0
num = 1

while num <= 100 do
    sum = sum + num
    num = num + 1
end
print(sum)

# 运行
[root@proxy conf.d]# lua while100.lua 
5050

for 循环

1
2
3
4
# 语法
for ... do
...
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@proxy conf.d]# vim for100.lua

#!/usr/bin/lua

sum = 0

for i = 1,100 do
    sum = sum + i
end

print(sum)

[root@proxy conf.d]# lua for100.lua 
5050

if 判断语句

1
2
3
4
5
if...then
elseif...then
else
...
end
1
2
3
# ~= 不等于
# 字符串的拼接操作符 ".."
# io库的分别从stdin和stdout读写,read和write函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@proxy conf.d]# vim ifelse.lua

#!/usr/bin/lua

num = 30
s='aspython'

if num > 50 then
    print('> 40')
elseif s ~= 'aspython' then -- ~= 表示 !=
    io.write('s is not aspython') -- 风骚的标准输出
else
    thisIsGlobal = 5 -- 驼峰式命名
    local line = io.read()
    -- .. 作为字符串连接符
    print('凛冬将至' .. line)
end

Nginx 加载 Lua环境

1
2
3
1. 阿里运测试环境 更换系统盘
2. 默认情况下 Nginx 不支持 Lua 模块, 需要安装 LuaJIT 解释器, 并且需要重新编译 Nginx , 建议使用 openrestry
3. LuaJIT Ngx_devel_kit 和 lua-nginx-module

Nginx 编译安装

环境准备

1
[root@proxy etc]# yum -y install gcc gcc-c++ make pcre-devel zlib-devel openssl-devel
1
2
3
4
5
# 下载最新的 luajit 和 ngx_devel_kit 以及 lua-nginx-module
[root@proxy ~]# mkdir -p /soft/src && cd /soft/src
[root@proxy ~]# wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
[root@proxy ~]# wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz
[root@proxy ~]# wget https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz

解压 ngx_devel_kit 和 lua-nginx-module

1
2
3
4
# 解压后为ngx_devel_kit-0.2.19
[root@nginx ~]# tar xf v0.2.19.tar.gz 
# 解压后为lua-nginx-module-0.9.16
[root@nginx ~]# tar xf v0.10.13.tar.gz

安装LuaJIT Luajit是Lua即时编译器。

1
2
3
4
5
6
[root@nginx ~]# tar zxvf LuaJIT-2.0.4.tar.gz 
[root@nginx ~]# cd LuaJIT-2.0.4
[root@nginx ~]# make && make install

# 成功
==== Successfully installed LuaJIT 2.0.4 to /usr/local ====

安装 Nginx 并加载模块

1
2
3
4
[root@nginx ~]# cd /soft/src
[root@nginx ~]# wget http://nginx.org/download/nginx-1.16.1.tar.gz
[root@nginx ~]# tar xf nginx-1.16.1.tar.gz
[root@nginx ~]# cd nginx-1.16.1
1
2
3
4
5
6
7
# 编译安装
./configure --prefix=/etc/nginx --with-http_ssl_module \
--with-http_stub_status_module --with-http_dav_module \
--add-module=../ngx_devel_kit-0.2.19/ \
--add-module=../lua-nginx-module-0.10.13 

[root@proxy nginx-1.16.1]# make && make install
1
2
# 建立软链接, 不建立会出现share object错误
[root@proxy lib64]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

验证 nginx+lua

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@proxy conf]# vim /etc/nginx/conf/nginx.conf
        ...
        location / {
            root   html;
            index  index.html index.htm;
        }

        location /test {
            default_type text/html;
            content_by_lua_block {
                ngx.say('hello world')
            }
        }


[root@proxy conf]# /etc/nginx/sbin/nginx
[root@proxy conf]# /etc/nginx/sbin/nginx -t
[root@proxy conf]# /etc/nginx/sbin/nginx -s reload

# 访问 
http://60.205.217.112/test

直接部署春哥的开源项目OpenResty

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
//安装依赖包 编译完成后就可以使用 
# yum install -y readline-devel pcre-devel openssl-devel
# cd /soft/src
下载并编译安装openresty
# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz
# tar zxf ngx_openresty-1.9.3.2.tar.gz
# cd ngx_openresty-1.9.3.2
# ./configure --prefix=/soft/openresty-1.9.3.2 \
--with-luajit --with-http_stub_status_module \
--with-pcre --with-pcre-jit
# gmake && gmake install
# ln -s /soft/openresty-1.9.3.2/ /soft/openresty

//测试openresty安装
# vim /soft/openresty/nginx/conf/nginx.conf
server {
    location /hello {
            default_type text/html;
            content_by_lua_block {
                ngx.say("HelloWorld")
            }
        }
}

Nginx 调用 Lua指令

1
Nginx调用Lua模块指令, Nginx的可插拔模块加载执行, 共11个处理阶段

Nginx+Lua实现代码灰度发布

1
2
3
4
使用Nginx结合lua实现代码灰度发布,按照一定的关系区别,分不同的代码进行上线,使代码的发布能平滑过渡上线

1. 用户的信息cookie等信息区别
2. 根据用户的ip地址, 颗粒度更广

1
2
3
4
5
6
7
执行过程:
1.用户请求到达前端代理Nginx, 内嵌的lua模块会解析Nginx配置文件中Lua脚本
2.Lua脚本会获取客户端IP地址,查看Memcached缓存中是否存在该键值
3.如果存在则执行@java_test,否则执行@java_prod
4.如果是@java_test, 那么location会将请求转发至新版代码的集群组
5.如果是@java_prod, 那么location会将请求转发至原始版代码集群组
6.最后整个过程执行后结束

实践环境准备

1
2
3
CentOS7 Nginx+Lua+Memcached      172.17.70.227
CentOS7 Tomcat集群 8080 prod      172.17.70.228
CentOS7 Tomcat集群 9090 test      172.17.70.226

安装两台服务器Tomcat,分别启动8080和9090端口

1
2
3
4
5
6
7
8
9
10
[root@tomcat-node1-20 ~]# yum install java -y
[root@tomcat-node1-20 ~]# mkdir /soft/src -p
[root@tomcat-node1-20 ~]# cd /soft/src
[root@nginx ~]# wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.7/bin/apache-tomcat-9.0.7.tar.gz
[root@tomcat-node1-20 src]# tar xf apache-tomcat-9.0.7.tar.gz  -C /soft
[root@tomcat-node1-20 soft]# cp -r apache-tomcat-9.0.7/ tomcat-8080
[root@tomcat-node1-20 bin]# /soft/tomcat-8080/bin/startup.sh


//注意tomcat默认监听在8080端口, 如果需要启动9090端口需要修改server.xml配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 先搞定8080 然后传过去
[root@tomcat-node1 soft]# scp -r tomcat-8080 root@172.17.70.226:/soft

# 修改端口
[root@tomcat-node2 soft]# mv tomcat-8080 tomcat-9090
[root@tomcat-node2 soft]# vim /soft/tomcat-9090/conf/server.xml 
    <Connector port="9090" protocol="HTTP/1.1"
    
[root@tomcat-node2 soft]# sh tomcat-9090/bin/startup.sh
Using CATALINA_BASE:   /soft/tomcat-9090
Using CATALINA_HOME:   /soft/tomcat-9090
Using CATALINA_TMPDIR: /soft/tomcat-9090/temp
Using JRE_HOME:        /usr
Using CLASSPATH:       /soft/tomcat-9090/bin/bootstrap.jar:/soft/tomcat-9090/bin/tomcat-juli.jar
Tomcat started.
 
[root@tomcat-node2 soft]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1108/sshd           
tcp        0      0 0.0.0.0:9090            0.0.0.0:*               LISTEN      1533/java           
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      1533/java           
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      1533/java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@tomcat-node1 ROOT]# cd /soft/tomcat-8080/webapps/ROOT/
[root@tomcat-node1 ROOT]# rm -rf *
[root@tomcat-node1 ROOT]# vim test.jsp 

<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<HTML>
    <HEAD>
        <TITLE>JSP 8080-Prod</TITLE>
    </HEAD>
    <BODY>
        <h1> JSP 8080-Prod </h1>
        <%
            Random rand = new Random();
            out.println("<h1>Random number:</h1>");
            out.println(rand.nextInt(99)+100);
        %>
    </BODY>
</HTML>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@tomcat-node2 ROOT]# cd /soft/tomcat-9090/webapps/ROOT/
[root@tomcat-node2 ROOT]# rm -rf *
[root@tomcat-node2 ROOT]# vim test.jsp 

<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<HTML>
    <HEAD>
        <TITLE>JSP 9090-Test</TITLE>
    </HEAD>
    <BODY>
        <h1> JSP 9090-Test </h1>
        <%
            Random rand = new Random();
            out.println("<h1>Random number:</h1>");
            out.println(rand.nextInt(99)+100);
        %>
    </BODY>
</HTML>

配置 Memcached 并让其支持 Lua 调用

1
2
3
4
5
6
7
8
9
# 安装memcached服务
[root@proxy conf]# yum install memcached -y

# 配置memcached支持lua
[root@proxy conf]# cd /soft/src
[root@proxy src]# wget https://github.com/agentzh/lua-resty-memcached/archive/v0.11.tar.gz
[root@proxy src]# mkdir -p /etc/nginx/lua
[root@proxy src]# cp -r lua-resty-memcached-0.11/lib/resty/memcached.lua /etc/nginx/lua/
[root@proxy src]# ls -l /etc/nginx/lua/memcached.lua
1
2
3
4
# 启动memcached
[root@proxy src]# systemctl start memcached
[root@proxy src]# systemctl enable memcached
[root@proxy src]# systemctl status memcached

配置 负载均衡调度

1
2
3
4
5
6
# 编译安装的 增加引用
[root@proxy conf]# vim /etc/nginx/conf/nginx.conf
include /etc/nginx/conf.d/*.conf;

# 去掉默认的server cryl+v 选取删除行 shift+i # esc
[root@proxy conf]# /etc/nginx/sbin/nginx -t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[root@proxy conf]# mkdir -p /etc/nginx/conf.d
[root@proxy conf.d]# vim lua.conf 

# http
lua_package_path "/etc/nginx/lua/memcached.lua";

upstream java_prod {
    server 172.17.70.228:8080;
}

upstream java_test {
    server 172.17.70.226:9090;
}

server {
    listen 80;
    server_name 60.205.217.112;

    location /hello {
        default_type 'text/plain';
        content_by_lua 'ngx.say("hello ,lua scripts")';
    }

    location /myip {
        default_type 'text/plain';
        content_by_lua '
            clientIP = ngx.req.get_headers()["x_forwarded_for"]
            ngx.say("Forwarded_IP:",clientIP)
            if clientIP == nli then
                clientIP = ngx.var.remote_addr
                ngx.say("Remote_IP:",clientIP)
            end
             ';
    }


    location / {
        default_type 'text/plain';
        content_by_lua_file /etc/nginx/lua/dep.lua;
    }

    location @java_prod {
        proxy_pass http://java_prod;
        include /etc/nginx/conf.d/proxy_params;
    }

    location @java_test {
        proxy_pass http://java_test;
        include /etc/nginx/conf.d/proxy_params;
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# nginx反向代理tomcat,必须配置头部信息否则返回400错误
[root@proxy conf.d]# vim /etc/nginx/conf.d/proxy_params 

proxy_redirect default;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;

proxy_buffer_size 32k;
proxy_buffering on;
proxy_buffers 4 128k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 256k;
1
2
[root@proxy conf]# /etc/nginx/sbin/nginx -t
[root@proxy conf]# /etc/nginx/sbin/nginx -s reload
1
2
http://60.205.217.112/test
http://60.205.217.112/myip

编写 Nginx 调用灰度发布Lua 脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# 编写 Nginx 调用灰度发布Lua 脚本
# /etc/nginx/lua/dep.lua

[root@proxy lua]# vim dep.lua 

--获取x-real-ip
clientIP = ngx.req.get_headers()["X-Real-IP"]

--如果IP为空-取x_forwarded_for
if clientIP == nil then
    clientIP = ngx.req.get_headers()["x_forwarded_for"]
end

--如果IP为空-取remote_addr
if clientIP == nil then
     clientIP = ngx.var.remote_addr
end

--定义本地,加载memcached
    local memcached = require "resty.memcached"
--实例化对象
    local memc, err = memcached:new()
--判断连接是否存在错误
    if not memc then
        ngx.say("failed to instantiate memc: ", err)
        return
    end
--建立memcache连接
    local ok, err = memc:connect("127.0.0.1", 11211)
--无法连接往前端抛出错误信息
    if not ok then
        ngx.say("failed to connect: ", err)
        return
    end
--获取对象中的ip-存在值赋给res
    local res, flags, err = memc:get(clientIP)
--
 --ngx.say("value key: ",res,clientIP)
    if err then
        ngx.say("failed to get clientIP ", err)
        return
    end
--如果值为1则调用local-@java_test
    if res == "1" then
        ngx.exec("@java_test")
        return
    end
--否则调用local-@java_prod
        ngx.exec("@java_prod")
        return
1
2
3
[root@proxy lua]# /etc/nginx/sbin/nginx -s reload

http://60.205.217.112/test.jsp

灰度发布

1
2
3
4
5
6
7
8
9
10
11
12
# 把IP 传给 memcached
# 生产换将 需要得到IP地址库 用memcached管理地址页 导入

[root@proxy logs]# telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
set 125.34.39.133 0 0 1
1
STORED

http://60.205.217.112/test.jsp
1
2
3
4
5
6
7
# 剔除
get 125.34.39.133
VALUE 125.34.39.133 0 1
1
END
delete 125.34.39.133
DELETED

Nginx+Lua 实现WAF应用防火墙

1
2
3
4
5
1.常见的恶意行为
    1.爬虫行为和恶意抓取,资源盗取
防护手段
    1. 基础防盗链功能不让恶意用户能够轻易的爬取网站对外数据
    2. access_moudle->对后台,部分用户服务的数据提供IP防护
1
2
3
4
5
6
7
8
9
2.常见的攻击手段
    1. 后台密码撞库,通过猜测密码字典不断对后台系统登陆性尝试,获取后台登陆密码
防护手段
    1.后台登陆密码复杂度
    2.使用access_module-对后台提供IP防控
    3.预警机制

文件上传漏洞,利用上传接口将恶意代码植入到服务器中,再通过url去访问执行代码
执行方式 bgx.com/1.jpg/1.php
1
2
3
4
5
6
3.常见的攻击手段
利用未过滤/未审核的用户输入进行Sql注入的攻击方法, 让应用运行本不应该运行的SQL代码
防护手段
    1.php配置开启安全相关限制
    2.开发人员对sql提交进行审核,屏蔽常见的注入手段
    3.Nginx+Lua构建WAF应用层防火墙, 防止Sql注入

模拟SQL注入攻击

  • 快速安装lnmp架构
1
[root@proxy ~]# yum install mariadb mariadb-server  php php-fpm php-mysql -y
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 配置MySQL
[root@nginx ~]# systemctl start mariadb
[root@proxy ~]# mysql -uroot 

MariaDB [(none)]> create database info;
MariaDB [(none)]> use info;
MariaDB [info]> create table user(id int(11),username varchar(64), password varchar(64), email varchar(64));
MariaDB [info]> desc user;
+----------+-------------+------+-----+---------+-------+
| Field    | Type        | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+-------+
| id       | int(11)     | YES  |     | NULL    |       |
| username | varchar(64) | YES  |     | NULL    |       |
| password | varchar(64) | YES  |     | NULL    |       |
| email    | varchar(64) | YES  |     | NULL    |       |
+----------+-------------+------+-----+---------+-------+

//插入数据
MariaDB [info]> insert into user (id,username,password,email) values(1,'bgx',('123'),'bgx@foxmail.com');
MariaDB [info]> select * from info.user;
+------+----------+----------------------------------+-----------------+
| id   | username | password                         | email           |
+------+----------+----------------------------------+-----------------+
|    1 | bgx      | 123                             | bgx@foxmail.com |
+------+----------+----------------------------------+-----------------+
1 row in set (0.00 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# 配置php代码
[root@proxy ~]# mkdir -p /soft/code

[root@proxy ~]# vim /soft/code/login.html

<html>
<head>
        <title> Sql注入演示场景 </title>
        <meta http-equiv="content-type"content="text/html;charset=utf-8">
</head>
<body>
<form action="sql.php" method="post">
<table>
        <tr>
                <td> 用 户: </td>
                <td><input type="text" name="username"></td>
        </tr>

        <tr>
                <td> 密 码: </td>
                <td><input type="text" name="password"></td>
        </tr>
        <tr>
                <td><input type="submit" value="提交"></td>
                <td><input type="reset" value="重置"></td>
        </tr>
                </table>
        </form>
</body>
</html>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 被html调用的sql.php文件

[root@proxy ~]# vi /soft/code/sql.php

<?php
        $conn = mysql_connect("localhost",'root','') or die("数据库连接失败!");
        mysql_select_db("info",$conn) or die ("您选择的数据库不存在");
        $name=$_POST['username'];
        $pwd=$_POST['password'];
        $sql="select * from user where username='$name' and password='$pwd'";
        echo $sql."<br />";
        $query=mysql_query($sql);
        $arr=mysql_fetch_array($query);
        if($arr){
                echo "login success!<br />";
                echo $arr[1];
                echo $arr[3]."<br /><br />";
        }else{
                echo "login failed!";
        }
?>

[root@proxy conf.d]# systemctl start php-fpm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 配置Nginx + php

[root@proxy conf.d]# vim phpserver.conf 

server {
        server_name 60.205.217.112;
        root /soft/code;
        index index.html index.php;

    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /soft/code/$fastcgi_script_name;
        include        fastcgi_params;
    }
}
1
2
3
4
5
http://60.205.217.112/sql.php 
bgx / 123
# sql注入
# 用户名 ' or 1=1#'
# pymysql时候遇到过,问题是由于自己拼接sql语句导致,可以用提供的拼接sql方法避免

使用lua解决此类安全问题

部署Waf相关防护代码

1
2
3
4
5
6
7
# https://github.com/loveshell/ngx_lua_waf

[root@proxy src]# yum install -y git
[root@proxy src]# cd /soft/src/

# 把ngx_lua_waf复制到nginx的目录下,解压命名为waf
[root@proxy src]# cp -r ngx_lua_waf /etc/nginx/waf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
//在nginx.conf的http段添加

[root@proxy conf.d]# vim phpserver.conf 

lua_package_path "/etc/nginx/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /etc/nginx/waf/init.lua;
access_by_lua_file /etc/nginx/waf/waf.lua;

server {
        server_name 60.205.217.112;
        root /soft/code;
        index index.html index.php;

    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /soft/code/$fastcgi_script_name;
        include        fastcgi_params;
    }
}
1
2
[root@proxy conf.d]# /etc/nginx/sbin/nginx -t
[root@proxy conf.d]# /etc/nginx/sbin/nginx -s reload
1
2
3
4
5
6
7
8
# 配置config.lua里的waf规则目录(一般在waf/conf/目录下)
[root@proxy waf]# vim /etc/nginx/waf/config.lua 

RulePath = "/etc/nginx/waf/wafconf/"
attacklog = "on"
logdir = "/etc/nginx/logs/hack/"

# 绝对路径如有变动,需对应修改, 然后重启nginx即可
1
2
[root@proxy conf.d]# /etc/nginx/sbin/nginx -t
[root@proxy conf.d]# /etc/nginx/sbin/nginx -s reload

Nginx + lua防止Sql注入

1
2
3
4
5
# 添加规则
vim /etc/nginx/waf/wafconf/post
\sor\s+

\s = 空格 or 空格 的

防止CC攻击

1
2
3
4
5
6
7
8
[root@nginx ~]# vim /etc/nginx/waf/config.lua
CCDeny="on"
CCrate="100/60"
  --设置cc攻击频率,单位为秒.
  --默认1分钟同一个IP只能请求同一个地址100次
  
[root@proxy conf.d]# /etc/nginx/sbin/nginx -t
[root@proxy conf.d]# /etc/nginx/sbin/nginx -s reload
1
2
3
4
5
6
# 开个本地虚拟机 测试一下
[root@linux-node1 ~]# yum install httpd-tools
[root@linux-node1 ~]# ab -n 2000 -c 200 http://60.205.217.112/login.html

# 本地再访问 超过限制就被拦截 其他IP没有影响
# 手机还可以访问 说明其他IP 没有影响

nginx+lua 学习

1
https://github.com/loveshell/ngx_lua_waf