CIDR support with whitelist/blacklist IP
This commit is contained in:
parent
31e72dce1c
commit
e190167bfc
10
README.md
10
README.md
|
@ -1,4 +1,4 @@
|
|||
<p align="center">
|
||||
bla<p align="center">
|
||||
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
|
||||
</p>
|
||||
|
||||
|
@ -1173,10 +1173,10 @@ Context : *global*, *multisite*
|
|||
If set to *yes*, lets you define custom IP addresses to be whitelisted through the `WHITELIST_IP_LIST` environment variable.
|
||||
|
||||
`WHITELIST_IP_LIST`
|
||||
Values : *\<list of IP addresses separated with spaces\>*
|
||||
Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*
|
||||
Default value : *23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8*
|
||||
Context : *global*
|
||||
The list of IP addresses to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
|
||||
The list of IP addresses and/or network CIDR blocks to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
|
||||
|
||||
`USE_WHITELIST_REVERSE`
|
||||
Values : *yes* | *no*
|
||||
|
@ -1211,10 +1211,10 @@ Context : *global*, *multisite*
|
|||
If set to *yes*, lets you define custom IP addresses to be blacklisted through the `BLACKLIST_IP_LIST` environment variable.
|
||||
|
||||
`BLACKLIST_IP_LIST`
|
||||
Values : *\<list of IP addresses separated with spaces\>*
|
||||
Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*
|
||||
Default value :
|
||||
Context : *global*
|
||||
The list of IP addresses to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
|
||||
The list of IP addresses and/or network CIDR blocks to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
|
||||
|
||||
`USE_BLACKLIST_REVERSE`
|
||||
Values : *yes* | *no*
|
||||
|
|
|
@ -137,6 +137,9 @@ sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowd
|
|||
sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/openresty/lua-nginx-module.git 2d23bc4f0a29ed79aaaa754c11bffb1080aa44ba
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4
|
||||
make LUA_LIB_DIR=/usr/local/lib/lua install
|
||||
export LUAJIT_LIB=/usr/local/lib
|
||||
export LUAJIT_INC=/usr/local/include/luajit-2.1
|
||||
|
||||
|
|
|
@ -353,9 +353,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
|
|||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
else
|
||||
FIRST_SERVER_NAME="$first_server"
|
||||
if [ "$EMAIL_LETS_ENCRYPT" == "" ] ; then
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server}"
|
||||
fi
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server}"
|
||||
echo -n "$EMAIL_LETS_ENCRYPT" > ${NGINX_PREFIX}email-lets-encrypt.txt
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
local M = {}
|
||||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
local ip_list = {%BLACKLIST_IP_LIST%}
|
||||
local reverse_list = {%BLACKLIST_REVERSE_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
@ -21,12 +22,11 @@ function M.reverse_cached ()
|
|||
end
|
||||
|
||||
function M.check_ip ()
|
||||
for k, v in ipairs(ip_list) do
|
||||
if v == ip then
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
|
||||
return true
|
||||
end
|
||||
local blacklist = iputils.parse_cidrs(ip_list)
|
||||
if iputils.ip_in_cidrs(ip, blacklist) then
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
|
||||
return true
|
||||
end
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ok", 86400)
|
||||
return false
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
local M = {}
|
||||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
local ip_list = {%WHITELIST_IP_LIST%}
|
||||
local reverse_list = {%WHITELIST_REVERSE_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
@ -21,13 +22,12 @@ function M.reverse_cached ()
|
|||
end
|
||||
|
||||
function M.check_ip ()
|
||||
for k, v in ipairs(ip_list) do
|
||||
if v == ip then
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
local whitelist = iputils.parse_cidrs(ip_list)
|
||||
if iputils.ip_in_cidrs(ip, whitelist) then
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
|
||||
return true
|
||||
end
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ko", 86400)
|
||||
return false
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue