Functional Description:
In the blacklist ip network, we will be unable to access the web service.
In the white list ip, when accessing web services, nginx will not restrict all security modules.
Support for dynamic blacklist (needs to work with ngx_http_limit_req)
DETAILED DESCRIPTION The following detailed
File configuration instructions
I. Definitions black or white list method:
1. Configuration form
Configuration keyword black or white list file storage space
white_black_list_conf conf/white.list zone=white:2m;
| | | |
| | | -------------------------------------- storage space here is the 2m space. determine the capacity of black and white list
| | ------------------------------------------------ --------------------------------------------- storage space name
| ------------------------------------------------- -------------- black or white list profile path
------------------------------------------------ configuration commands
2. Configure keyword white_black_list_conf.
3. http {} can only be used in
4. white_black_list_conf can simply configure multiple zone = value where the value can be different
5. Configuration Example:
http{
......
white_black_list_conf conf/white.list zone=white:4m;
white_black_list_conf conf/black.list zone=black:4m;
......
server{
.......
}
.......
}
Second, the black and white list scope
1. Configuration form
Configuration keywords on / off
Configuration keywords are: white_list and black_list are used to represent the whitelist and blacklist
2 can be used at http {}, server {}, location {}, is disabled by default
3. Configuration Example:
http{
......
white_black_list_conf conf/white.list zone=white1:4m;
white_black_list_conf conf/black.list zone=black1:4m;
white_list white1 on; # whitelist white1 are open throughout the http {}
black_list black1 on; # blacklist BLACK1 are open throughout the http {}
server{
.......
}
.......
}
http{
......
white_black_list_conf conf/white.list zone=white2:4m;
white_black_list_conf conf/black.list zone=black2:4m;
server{
.......
white_list white2 on; # whitelist white1 are open in the entire server {}
black_list black2 on; # blacklist black1 are open in the entire server {}
.......
}
.......
}
http{
......
white_black_list_conf conf/white.list zone=white3:4m;
white_black_list_conf conf/black.list zone=black3:4m;
white_black_list_conf conf/black.list zone=black2:4m;
white_black_list_conf conf/white.list zone=white2:4m;
server{
.......
location /do {
........
white_list white3 on; # whitelist white3 turned on location / do {} in
black_list black3 on; # blacklist Black 3 is turned on location / do {} in
........
}
location /do1{
white_list white2 on; # whitelist white2 are open in the entire server {}
black_list black2 on; # blacklist BLACK2 are open in the entire server {}
}
.......
}
.......
}
http Configuration Interface Description:
A, Configure Interface
http{
.......
server{
......
location /sec_config{
sec_config on;
}
......
}
.......
}
Second, the Configuration:
1. http: // xxx / sec_config see black and white lists defined circumstances
Returned the following results
{
"version": "nginx/1.3.0",
"code": "0",
"item": {
"conf_type": "white_black_list_conf",
"zone_name": "white",
"list_path": "/home/john/nginx/conf/white.list"
},
"item": {
"conf_type": "white_black_list_conf",
"zone_name": "black",
"list_path": "/home/john/nginx/conf/black.list"
},
"item": {
"conf_type": "white_black_list_conf",
"zone_name": "ex",
"list_path": "/home/john/nginx/conf/status_ex"
}
}
2. http:? // xxx / sec_config zone_name = white zone_name to view specific content in the white of list_path
3. http:? // xxx / sec_config zone_name = white & add_item = 192.168.141.23 192.168.141.23 added to zone_name white as
4. http:? // xxx / sec_config zone_name = white & delete_item = 192.168.141.23 192.168.141.23 in zone_name white is deleted
View configuration Method 2:
http://xxx/sec_config?for_each
Third, the black and white list of file contents
conf / black.list document reads as follows
2.2.2.2
192.168.141.1
3.3.3.3
4.4.4.5
2.3.4.4
Fourth, the dynamic blacklist
To use this feature must patch of ngx_http_limit_req_module.c
In the ngx_http_limit_req_module.c
增加#include <white_black_list.h>
And modify the code to find:
"
if (rc == NGX_BUSY) {
ngx_log_error(lrcf->limit_log_level, r->connection->log, 0,
"limiting requests, excess: %ui.%03ui by zone \"%V\"",
excess / 1000, excess % 1000,
&limit->shm_zone->shm.name);
"
In its following increase:
ngx_black_add_item_interface(r, 1);
With keywords:
dyn_black
format:
dyn_black $zone_name time;
such as:
dyn_black black 60; // disable access to 60 seconds, automatically released after 60 seconds
note:
You must be configured black_list
Configuration example:
http{
....
white_black_list_conf conf/black.list zone=black:4m;
limit_req_zone $binary_remote_addr zone=one:8m rate=4r/s;
...
server {
location / {
black_list black on;
limit_req zone=one burst=6;
dyn_black black 60; // disable access to 60 seconds, automatically released after 60 seconds
...
}
location /xxx {
sec_config on;
}
...
}
...
}
Reference article
Project address: https: //github.com/codehunte/ngx_white_black_list
Project documentation: https: //github.com/codehunte/ngx_white_black_list/blob/master/white_black_list.txt
Website:
operation and maintenance lifetime
URL: http: //www.ttlsa.com/html/4145.html
Reproduced in: https: //my.oschina.net/766/blog/211390