nginx lua redis 实现企业白名单管理

一、安装环境：

• CentOS x64 release 7.0(Final)
• Nginx-1.4.1 安装目录（/usr/local/nginx/conf）
• Redis 3.2.7 /home/appuser/nginx-lua-memcache/redis-3.2.7

二、安装步骤：

1、安装依赖

yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers make pcre-devel yum -y install gd gd2 gd-devel gd2-devel lua lua-devel

 

2、安装Redis 3.2.7

wget http://download.redis.io/releases/redis-3.2.7.tar.gz

#tar -xzvf redis-2.6.14.tar.gz cd redis-2.6.14 make && make install

关于redis安装及使用详细教程，参见：http://www.cnblogs.com/codersay/p/4301677.html

 

redis添加白名单步骤

(1)#cd /home/appuser/nginx-lua-memcache/redis-3.2.7/src

(2) #./redis-cli

(3) #set ip 1(例如：set 192.168.1.2 1)

 

3、安装Nginx-1.4.1

 

./configure --prefix=/usr/local/nginx/ --with-http_gzip_static_module --add-module=/home/appuser/solftware/nginx-lua-memcache/ngx_devel_kit-0.2.18 --add-module=/home/appuser/solftware/nginx-lua-memcache/lua-nginx-module-0.8.5 --add-module=/home/appuser/solftware/nginx-lua-memcache/redis2-nginx-module-0.10

make

make install

 

4、下载nginx中lua使用redis需要的依赖包redis.lua到nginx安装目录

https://codeload.github.com/agentzh/lua-resty-redis/tar.gz/v0.15

5、将控制访问lua脚本access.lua放到nginx安装目录的conf目录下

6、在nginx.conf文件的http段引入redis.lua包，加入代码：

lua_package_path"/usr/local/nginx/redis.lua;;";

7、配置nginx

 

#user nobody;

worker_processes 2;

 

#error_log logs/error.log;

#error_log logs/error.log notice;

#error_log logs/error.log info;

#pid logs/nginx.pid;

 

events {

worker_connections 2048;

}

 

http {

include mime.types;

default_type application/octet-stream;

lua_package_path "/usr/local/nginx/resty/redis.lua";

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '

# '$status $body_bytes_sent "$http_referer" '

# '"$http_user_agent" "$http_x_forwarded_for"';

 

#access_log logs/access.log main;

 

sendfile on;

#tcp_nopush on;

 

#keepalive_timeout 0;

keepalive_timeout 65;

 

proxy_next_upstream error timeout;

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $http_x_forwarded_for;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

client_max_body_size 100m;

client_body_buffer_size 256k;

proxy_connect_timeout 180;

proxy_send_timeout 180;

proxy_read_timeout 180;

proxy_buffer_size 8k;

proxy_buffers 8 64k;

proxy_busy_buffers_size 128k;

proxy_temp_file_write_size 128k;

 

upstream client {

 

server 10.1.241.80:8080;

 

}

 

upstream client_test {

 

server 192.168.200.29:81;

 

}

#gzip on;

 

server {

listen 80;

server_name localhost;

 

#charset koi8-r;

 

#access_log logs/host.access.log main;

 

location / {

content_by_lua '

 

clientIP = ngx.req.get_headers()["X-Real-IP"]

if clientIP == nil then

 

clientIP = ngx.req.get_headers()["x_forwarded_for"]

 

end

 

if clientIP == nil then

 

clientIP = ngx.var.remote_addr

 

end

 

local redis = require "resty.redis"

 

local cache, err = redis.new()

 

if not cache then

 

ngx.say("failed to instantiate memc: ", err)

 

return

 

end

 

local ok, err = cache.connect(cache,"127.0.0.1", "6379")

cache:set_timeout(60000)

 

if not ok then

 

ngx.say("failed to connect: ", err)

 

return

 

end

 

local res, flags, err = cache:get(clientIP)

 

if err then

 

ngx.say("failed to get clientIP ", err)

 

return

 

end

 

if res == "1" then

 

ngx.exec("@client_test")

 

return

 

end

 

ngx.exec("@client")

 

 

';

}

 

location @client{

 

proxy_pass http://client;

 

}

 

location @client_test{

 

#proxy_pass http://client_test;

proxy_pass http://www.baidu.com;

 

}

 

location /hello {

 

default_type 'text/plain';

 

content_by_lua 'ngx.say("hello, lua")';

 

}

 

#error_page 404 /404.html;

 

# redirect server error pages to the static page /50x.html

#

error_page 500 502 503 504 /50x.html;

location = /50x.html {

root html;

}

 

# proxy the PHP scripts to Apache listening on 127.0.0.1:80

#

#location ~ \.php$ {

# proxy_pass http://127.0.0.1;

#}

 

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

#

#location ~ \.php$ {

# root html;

# fastcgi_pass 127.0.0.1:9000;

# fastcgi_index index.php;

# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;

# include fastcgi_params;

#}

 

# deny access to .htaccess files, if Apache's document root

# concurs with nginx's one

#

#location ~ /\.ht {

# deny all;

#}

}

 

 

# another virtual host using mix of IP-, name-, and port-based configuration

#

#server {

# listen 8000;

# listen somename:8080;

# server_name somename alias another.alias;

 

# location / {

# root html;

# index index.html index.htm;

# }

#}

 

 

# HTTPS server

#

#server {

# listen 443;

# server_name localhost;

 

# ssl on;

# ssl_certificate cert.pem;

# ssl_certificate_key cert.key;

 

# ssl_session_timeout 5m;

 

# ssl_protocols SSLv2 SSLv3 TLSv1;

# ssl_ciphers HIGH:!aNULL:!MD5;

# ssl_prefer_server_ciphers on;

 

# location / {

# root html;

# index index.html index.htm;

# }

#}

 

}

 

 

注：(也可以将脚本引入nginx)access_by_lua_file/usr/local/nginx/conf/access.lua

注：redis默认不会将数据持久化，需要手动修改配置文件

 

8、现在可以启动redis和nginx进行测试了。

访问地址测试Lua是否安装成功：http://nginxIP:port/hello