Configure a blacklist or whitelist firewall for the Nginx server _nginx

Feature Description:
In the blacklist of IP and network, will not be able to access the Web service.
in the whitelist IP, access to the Web service will not be limited by nginx all security modules.
Support dynamic blacklists (need to match with Ngx_http_limit_req)
detailed in the following instructions
file configuration method Description
First, define blacklist or whitelist method:
1. Configuration Format
Configure the keyword blacklist or whitelist file storage space
white_black_list_conf conf/white.list zone=white:2m;
  | | |
  | | | |-------- ------------------------------the size of the storage space here is 2m. Space size determines the capacity of the Black-and-white list
  | |------------------------------------------------------------------------------------- --------Storage space name
  |---------------------------------------------------------------blacklist or Whitelist configuration file path
  ------------------------------------------------configuration Command
2. Configure Keyword white_black_list_conf.
3.
4 can only be used in http{} white_black_list_conf multiple types of value may be configured to Zone=value
5. Configuration Example:

http{...
    white_black_list_conf conf/white.list zone=white:4m;
    white_black_list_conf conf/black.list zone=black:4m;
    ......
    server{...
    }
    .......
}

Second, black and white list scope of action
1. Configuration format
Configure Keyword On/off
Configuration keywords are: white_list and black_list are used to represent the whitelist and blacklist respectively.
2. Can be used under http{}, server{}, location{}, function by default is off
3. Configuration Example:

http{... white_black_list_conf conf/white.list zone=white1:4m;
    white_black_list_conf conf/black.list zone=black1:4m; White_list white1 on; The #白名单 white1 is opened in the entire http{} black_list black1 on;
    #黑名单 Black1 Open server{in the entire http{} ...}
.......
}
    http{... white_black_list_conf conf/white.list zone=white2:4m;
    white_black_list_conf conf/black.list zone=black2:4m; server{. White_list white2 on; #白名单 white1 open server{black_list on in the entire Black2} #黑名单 Blac
    K1 is opened throughout the server{} ...}
.......
}
    http{... white_black_list_conf conf/white.list zone=white3:4m;
    white_black_list_conf conf/black.list zone=black3:4m;
    white_black_list_conf conf/black.list zone=black2:4m;
    white_black_list_conf conf/white.list zone=white2:4m; server{... location/do {... white_list white3 on; #白名单 white3 in Locatio, N.
          Open in n/do{}  Black_list Black3 on;
        #黑名单 Black3 is opened in location/do{} ...} location/do1{white_list white2 on; #白名单 White2 Open server{black_list on the entire black2} #黑名单 black
    2 is opened in the entire server{} ...}
 .......
}

4.http Configuration Interface Description:
(1) Configuration Configuration Interface

http{.....
    server{...
        location/sec_config{
            sec_config on;
        }
        ......
    }
    .......
}

(2) Configuration method:
A. http://xxx/sec_config view of the black and white list definition
Returns the following results

{"
    version":    "nginx/1.3.0", "
    Code":    "0",
    "item":    {
        "conf_type":    "White _black_list_conf ",
        " Zone_name ":    " White ",
        " List_path ":    "/home/john/nginx/conf/white.list "
    },
    "item":    {
        "conf_type":    "white_black_list_conf",
        "Zone_name":    "Black",
        "List_path":    "/home/john/nginx/conf/black.list"
    },
    "item":    {
        "Conf_type":    "White_black_list_conf",
        "Zone_name":    "ex",
        "List_path":    "/HOME/JOHN/NGINX/CONF/STATUS_EX"
    }
}

B. Http://xxx/sec_config?zone_name=white view the details of the List_path in Zone_name
C.http://xxx/sec_config?zone_name=white&add_item=192.168.141.23 adds 192.168 to Zone_name for white. 141.23
D. http://xxx/sec_config?zone_name=white&delete_item=192.168.141.23 deletes 192.168.141.23 in zone_name for White
View Configuration Method 2:
Http://xxx/sec_config?for_each
Iii. Black and white list file contents
the contents of the Conf/black.list file are as follows

2.2.2.2
192.168.141.1
3.3.3.3
4.4.4.5
2.3.4.4

Four, dynamic blacklist
to use this feature, the ngx_http_limit_req_module.c must be patch
In the NGX_HTTP_LIMIT_REQ_MODULE.C
Add #include <white_black_list.h>
and modify the code to find:

  "
  if" (rc = = ngx_busy) {
    ngx_log_error (lrcf->limit_log_level, R->connection->log, 0,
           "limiting Requests, Excess:%ui.%0 3ui by zone \ "%v\" ",
           excess/1000, excess% 1000,
           &limit->shm_zone->shm.name);
    "

Increase below it:

  Ngx_black_add_item_interface (R, 1);

        equipped with keywords:
                 dyn_black
        format:
                 Dyn_black $zone _name time;
        For example:
                 Dyn_black Black 60; No access to 60 seconds, 60 seconds to automatically remove
        Note:
                 You must configure Black_list
         Configuration Example:

        http{.....
            white_black_list_conf conf/black.list zone=black:4m;
            Limit_req_zone $binary _remote_addr zone=one:8m rate=4r/s;
            ...
            server {
                location/{
         black_list black on;
         Limit_req Zone=one burst=6;
         Dyn_black Black 60; No access to 60 seconds, 60 seconds after automatic lifting
         ...
         }
         location/xxx {
         sec_config on;
         }
         ...
            }
            ...
        }

PS: Ngx_lua_waf firewall based on Lua-nginx-module

Project Address: Https://github.com/loveshell/ngx_lua_waf?utm_source=tuicool&utm_medium=referral
Recommended Installation:

Recommend using lujit2.1 for LUA support

Ngx_lua if it is 0.9.2 above, it is recommended that the regular filter function be changed to ngx.re.find, matching efficiency will be increased by about three times times.

Instructions for use:

The Nginx installation path is assumed to be:/usr/local/nginx/conf/

Download the NGX_LUA_WAF to the Conf directory, extract the name WAF

Add in HTTP segment of nginx.conf

  Lua_package_path "/usr/local/nginx/conf/waf/?" Lua ";
  Lua_shared_dict limit 10m;
  Init_by_lua_file/usr/local/nginx/conf/waf/init.lua; 
  Access_by_lua_file/usr/local/nginx/conf/waf/waf.lua;

Configure the WAF rules directory in Config.lua (usually in waf/conf/directory)

  Rulepath = "/usr/local/nginx/conf/waf/wafconf/"

If the absolute path changes, it needs to be modified.

and restart the Nginx.

Configuration file Details:

Rulepath = "/usr/local/nginx/conf/waf/wafconf/"
--Rules Store directory
Attacklog = "Off"
--whether to open the attack information record, need to configure LogDir
LogDir = "/usr/local/nginx/logs/hack/"
--log Store directory, this directory requires users to create new, cut the need to Nginx user's writable permissions
Urldeny= "On"
--whether to block URL access
Redirect= "On"
--redirect after blocking
Cookiematch = "On"
--whether to intercept cookie attacks
Postmatch = "On"
--whether to intercept post attacks
Whitemodule = "On"
--Open URL white list
ipwhitelist={"127.0.0.1"}
--IP white list, multiple IP separated by commas
ipblocklist={"1.0.0.1"}
--ip blacklist, multiple IP separated by commas
Ccdeny= "On"
--whether to turn on blocking cc attacks (nginx.conf HTTP segments are added lua_shared_dict limit 10m;)
Ccrate = "100/60"
--Set the CC attack frequency in seconds.
--Default 1 minutes the same IP can only request the same address 100 times
Html=[[please go away~~]]
--warning content, can be customized in brackets
Note: Do not tamper with double quotes, case-sensitive

Check whether the rule takes effect

After deployment, you can try the following command:

  Curl HTTP://XXXX/TEST.PHP?ID=../ETC/PASSWD

Returns the word "please go away~~" stating that the rule is in effect.
Note: By default, this machine does not filter on the whitelist, it can adjust its Config.lua configuration

Rule update:

Considering the regular caching problem, dynamic rules can affect performance, so there is no use of shared memory dictionary and Redis Things to do dynamic management.

Rule update can put the rules file to other servers, through crontab task scheduled download to update the rules, Nginx reload can be effective. To ensure the high performance of the Ngx Lua WAF.

Only record the filter log, do not open the filter, in the code in front of the check Plus-note, if you need to filter, vice versa

Some notes:

Filter rules under the wafconf, can be adjusted according to the requirements, each rule need to change lines, or use | split

• Global is a globally filtered file in which rules are filtered for post and get
• Get is a rule that filters only on GET requests
• Post is a rule that filters only on post requests
• Whitelist is a whitelist, inside the URL matching to do not do filter
• User-agent is the filtering rule for user-agent.

Get and post filtering is turned on by default, you need to turn on cookie filtering, edit Waf.lua Cancellation section--note

The log file name is formatted as follows: Virtual host name _sec.log