惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
Apple Machine Learning Research
Apple Machine Learning Research
L
LINUX DO - 最新话题
T
The Blog of Author Tim Ferriss
P
Proofpoint News Feed
宝玉的分享
宝玉的分享
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
GbyAI
GbyAI
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
Visual Studio Blog
爱范儿
爱范儿
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园_首页
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
月光博客
月光博客
博客园 - 叶小钗
D
Docker
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
Tailwind CSS Blog
D
DataBreaches.Net
酷 壳 – CoolShell
酷 壳 – CoolShell
B
Blog RSS Feed
量子位
美团技术团队
Vercel News
Vercel News
Y
Y Combinator Blog
IT之家
IT之家
Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
S
SegmentFault 最新的问题
腾讯CDC
Recent Announcements
Recent Announcements
Google DeepMind News
Google DeepMind News
罗磊的独立博客
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
The Register - Security
The Register - Security
博客园 - 司徒正美
N
Netflix TechBlog - Medium
S
Schneier on Security
博客园 - 聂微东
U
Unit 42
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Latest news
Latest news

博客园 - 一起走过的路

Nginx GeoIP2 模块编译安装与配置指南(附防国外访问实战) MySQL查询当前连接数的语句 Apollo批量给新创建的用户授可编辑权限 物理机Jenkins接入K8s环境 ingress配置https报错certificate.lua:259: call(): failed to set DER private key: d2i_PrivateKey_bio() failed, context: ssl_certificate_by_lua* elk收集分析nginx日志,并绘制图形 Zabbix Scheduled reports中文乱码 kubernetes mysql-StatefulSet报错处理 Jenkins合并代码Git报错处理过程 nginx集群同步方案 zabbix密码复杂度有效期安全增强,符合三级等保要求。 archery关闭导出功能 自动同步bing壁纸 CentOS7更新OpenSSH8 elk监听Java日志发送微信报警 OPENVPN 同时连接多个VPN - 一起走过的路 keepalived健康检查及双主MySQL健康检查脚本 执迷不悟 splunk设置索引周期和索引大小
nginx拒绝国外IP访问
一起走过的路 · 2021-01-11 · via 博客园 - 一起走过的路

nginx拒绝国外IP访问方法很多,比如iptables,geoip模块,域名解析等等。这些方法不会相互冲突,可以结合起来一起使用。

今天来教大家利用两个小方法解决  域名解析禁止掉海外IP访问网站。

域名解析方法:

绝大多数域名解析服务商都是提供电信联通移动海外线路区分解析的,所以我们可以充分利用这个功能,来禁止海外访问。

以阿里云DNS解析为例:

       设置A记录类型

       解析线路:境外

       记录值:127.0.0.1

       设置后等30分钟后我们再用ping工具测试下境外解析,就会发现所有的海外线路都会解析至127.0.0.1这个IP上,为什么是127.0.0.1呢?因为这个是本地IP,如果有攻击海外肉鸡攻击这个网站,就会自己攻击自己。

结合我写的另外一个方法:

用脚本每周更新国外IP库,利用nginx deny功能直接拒绝这些IP地址。

#添加到crontab
0 0 * * 5 /bin/bash /root/tools/black_nginx.sh

代码内容

#!/bin/bash
rm -f legacy-apnic-latest black_`date +%F`.conf && wget http://ftp.apnic.net/apnic/stats/apnic/legacy-apnic-latest awk -F '|' '{if(NR>2)printf("%s %s/%d%s\n","deny",$4,24,";")}' legacy-apnic-latest > black_`date +%F`.conf && rm -f /usr/local/nginx/conf/black.conf && ln -s $PWD/black_`date +%F`.conf /usr/local/nginx/conf/black.conf && /etc/init.d/nginx reload

 在nginx主配置文件的http段include black.conf; 这样此服务器所有网站都拒绝这些IP

经过学习更新一个方法,使用openresty:

官方下载地址:http://openresty.org/cn/download.html

推荐几个waf模块  https://github.com/unixhot/waf

                             https://github.com/loveshell/ngx_lua_waf

下载完waf模块,把waf文件夹移动到/usr/local/openresty/nginx/conf/

git clone https://github.com/unixhot/waf.git
cp -a ./waf/waf /usr/local/openresty/nginx/conf/

或者

cd /usr/local/openresty/server/nginx/conf
git clone https://github.com/loveshell/ngx_lua_waf.git
mv ngx_lua_waf waf

在主配置文件夹内引入

vim /usr/local/openresty/nginx/conf/nginx.conf
...
http {
lua_shared_dict limit 10m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
...
}

启动报错

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
    no field package.preload['resty.core']
    no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua'
    no file '/usr/local/openresty/site/lualib/resty/core.so'
    no file '/usr/local/openresty/lualib/resty/core.so'
    no file './resty/core.so'
    no file '/usr/local/lib/lua/5.1/resty/core.so'
    no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
    no file '/usr/local/lib/lua/5.1/loadall.so'
    no file '/usr/local/openresty/site/lualib/resty.so'
    no file '/usr/local/openresty/lualib/resty.so'
    no file './resty.so'
    no file '/usr/local/lib/lua/5.1/resty.so'
    no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
    no file '/usr/local/lib/lua/5.1/loadall.so')

或者

failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua'
no file '/usr/local/openresty/site/lualib/resty/core.so'
no file '/usr/local/openresty/lualib/resty/core.so'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so') in /usr/local/openresty/nginx/conf/nginx.conf:130

  解决办法

ln -s /usr/local/openresty/server/lualib /usr/local/lib/lua
ln -s /usr/local/openresty/server/lualib/resty /usr/local/openresty/server/nginx/conf/waf/resty

https://www.cnblogs.com/cheyunhua/p/13395745.html

https://www.jianshu.com/p/bffbd9bc4c53