forked from yaoweibin/nginx_limit_access_module
-
Notifications
You must be signed in to change notification settings - Fork 0
noanswer/nginx_limit_access_module
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Name
nginx_limit_access_module - support to deny request by specific variable
with HTTP POST interface
Status
This module is at its very early phase of development and considered
highly experimental. But you're encouraged to test it out on your side
and report any quirks that you experience.
We need your help! If you find this module useful and/or interesting,
please consider joining the development!
Synopsis
a simple deny ip example:
http {
limit_access_zone zone=one:5m bucket_number=10007 type=ip;
server {
listen 80;
server_name localhost;
limit_access_variable zone=one $limit_access_deny;
location / {
root html;
index index.html index.htm;
if ($limit_access_deny) {
return 403;
}
}
location /limit_interface {
allow 192.168.1.0/24;
deny all;
limit_access_interface zone=one;
}
}
}
deny both $remote_addr and $host example:
http {
limit_access_zone zone=addr:5m bucket_number=10007 type=$remote_addr;
limit_access_zone zone=host:5m bucket_number=10007 type=$host;
server {
listen 80;
server_name _;
limit_access_variable zone=addr $limit_access_deny_addr;
limit_access_variable zone=host $limit_access_deny_host;
location / {
root html;
index index.html index.htm;
if ($limit_access_deny_addr) {
return 403;
}
if ($limit_access_deny_host) {
return 403;
}
}
location /limit_interface_addr {
allow 192.168.1.0/24;
deny all;
limit_access_interface zone=addr;
}
location /limit_interface_host {
allow 192.168.1.0/24;
deny all;
limit_access_interface zone=host;
}
}
}
Description
This module can deny request specific variable with HTTP POST interface.
Directives
limit_access_zone
syntax: *limit_access_zone zone=name:size [bucket_number=number]
[type=ip|$your_variable];*
default: *none*
context: *http*
The directive describes the area, which stores the record of the limit
hash table. Example of usage:
limit_access_zone zone=one:5m bucket_number=10007 type=ip;
In this case, the hash table is allocated 5MB as a zone called "one".
The hash table's bucket number is 10007. We can get the record's key of
this hash table from the remainder $binary_remote_addr with
bucket_number.
If the record is the type of ip, each record's size is about 32 bytes.
If you have a 5M zone, it can hold about 100k+ records.
The type can be 'ip' or any of the variable in Nginx. I use the 'ip' as
a special variable while I treat the ip as an integer. This can save
some storage memory. Otherwise, I treat all the variable to be string.
limit_access_interface
syntax: *limit_access_interface zone=name;*
default: *none*
context: *location*
This directive set the interface location where you can add or delete
the deny list. See the section of Interface for detail.
limit_access
syntax: *limit_access zone=name;*
default: *none*
context: *http, server, location*
This directive set the location where you can deny specific variable
from the zone's record. If you want to do deny action in several
locations, you can use this directive in their parent block. The
directive is like the deny
(<http://wiki.nginx.org/HttpAccessModule#deny>).
It will look up the zone's hash table. If it find the request's variable
is in the hash table and it's not expired, then return 403.
limit_access_variable
syntax: *limit_access_variable zone=name $limit_access_variable_name;*
default: *none*
context: *http, server, location*
This directive set the name of variable and the zone attached with the
variable. When you access this variable, the variable will do like the
limit_access directive. It will look up the zone's hash table. If it
finds the request's variable is in the hash table and it's not expired,
then the value is '1'. If not, the value is null.
If you want to do the same deny action in several locations, you can use
the directive of *limit_acccess*.
limit_access_default_expire
syntax: *limit_access_default_expire expire_time;*
default: *1d*
context: *http, server, location*
Set the default expire time for the ban list record. Default expire time
is 1 day. The unit of time can be: s(second,default), m(minute),
h(hour), d(day), w(week), M(month), y(year).
limit_access_buffer_size
syntax: *limit_access_buffer_size size;*
default: *256k*
context: *http, server, location*
Specify the output buffer size. If you have a large hash table and want
to show all the records, your result page may be truncated to the buffer
size. You could enlarge the buffer size. Each record could take up about
128 bytes.
limit_access_log_level
syntax: *limit_access_log_level info|notice|warn|error;*
default: *limit_access_log_level error*
context: *http, server, location*
Control the log level of the request deny message.
Interface
The request method sent to the interface location is POST, and the
content-type is application/x-www-form-urlencoded. The content is like
this:
ban_type=variable&ban_expire=3600&ban_list=192.168.1.1,192.168.1.2
The parameters' specification is:
ban_type: the type of ban_list. It can be: ip, variable. It's related
with the type of zone.
ban_expire: the expire time for the ban list. The unit of time can be:
s(second,default), m(minute), h(hour), d(day), w(week), M(month),
y(year).
ban_list: the ban list, the ipv4 address can also be sent by a binary
form.
free_type: the type of free_list.
free_list: free the ban list, the variable will not be denied any more.
show_type: the type of show_list.
show_list: show the ban list. You can get the specific ban list like
this:
show_type=variable&show_list=127.0.0.1,127.1.1.1
If your zone's type is IP, and you want to show all the current ban IP
list, You can do like this:
show_type=ip&show_list=all
destroy_list: invalidate all the current ban list, then all the client
request is allowed.
Installation
Download the latest version of the release tarball of this module from
github (<http://github.com/yaoweibin/nginx_limit_access_module>)
Grab the nginx source code from nginx.org (<http://nginx.org/>), for
example, the version 0.8.53 (see nginx compatibility), and then build
the source with this module:
$ wget 'http://nginx.org/download/nginx-0.8.53.tar.gz'
$ tar -xzvf nginx-0.8.53.tar.gz
$ cd nginx-0.8.53/
$ ./configure --add-module=/path/to/nginx_limit_access_module
$ make
$ make install
Compatibility
My test bed 0.8.53.
TODO
Known Issues
Developing
Changelogs
v0.1
first release
Authors
Weibin Yao(姚伟斌) *yaoweibin AT gmail DOT com*
License
This README template is from agentzh (<http://github.com/agentzh>).
This module is licensed under the BSD license.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
About
support to deny specific variable with HTTP POST interface
Resources
Stars
Watchers
Forks
Packages 0
No packages published
Languages
- Perl 81.6%
- C 18.3%
- Shell 0.1%