centos系统安装Nginx+Lua+Redis实现自定义web防火墙

Nginx来处理访问控制的方法有多种，实现的效果也有多种，访问IP段，访问内容限制，访问频率限制等。
用Nginx+Lua+Redis来做访问限制主要是考虑到高并发环境下快速访问控制的需求。

系统：centos6.x

IP:192.168.1.3

百度云软件包下载地址：

http://pan.baidu.com/s/1hs1dY1e 

或者：

链接: http://pan.baidu.com/s/1qYdNdZu 

密码: cxsg 

一、安装Lua

cd /data/software/
wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
tar -zxvf LuaJIT-2.0.4.tar.gz
cd LuaJIT-2.0.4
[root@centos-03 LuaJIT-2.0.4]# make
...  ...
BUILDVM   jit/vmdef.lua
DYNLINK   libluajit.so
LINK      luajit
OK        Successfully built LuaJIT
make[1]: Leaving directory `/home/data/software/LuaJIT-2.0.4/src'
==== Successfully built LuaJIT 2.0.4 ====
[root@centos-03 LuaJIT-2.0.4]# make install
.....
==== Successfully installed LuaJIT 2.0.4 to /usr/local ====
[root@centos-03 LuaJIT-2.0.4]# export LUAJIT_LIB=/usr/local/lib
[root@centos-03 LuaJIT-2.0.4]# export LUAJIT_INC=/usr/local/include/luajit-2.0

二、安装Nginx

mkdir -p /data/conf/nginx	#####nginx安装目录
mkdir /data/software/nginx_module/	#####nginx模块
cd /data/software/nginx_module/
ngx_devel_kit (https://github.com/simpl/ngx_devel_kit/)
lua-nginx-module (https://github.com/openresty/lua-nginx-module/)
redis2-nginx-module (https://github.com/openresty/redis2-nginx-module/)
set-misc-nginx-module (https://github.com/openresty/set-misc-nginx-module/)
echo-nginx-module (https://github.com/openresty/echo-nginx-module/)

百度云中有包或者在服务器用用git下载到服务器中

git clone https://github.com/simpl/ngx_devel_kit.git
git clone https://github.com/openresty/lua-nginx-module.git
git clone https://github.com/openresty/redis2-nginx-module.git
git clone https://github.com/openresty/set-misc-nginx-module.git
git clone https://github.com/openresty/echo-nginx-module.git

# cd /data/software/
# wget http://nginx.org/download/nginx-1.10.3.tar.gz
# tar -zxvf nginx-1.10.3.tar.gz
# cd nginx-1.10.3
# ./configure --prefix=/data/conf/nginx --with-debug --with-http_addition_module --with-http_perl_module --with-http_realip_module --with-http_secure_link_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --add-module=/data/software/nginx_module/ngx_devel_kit --add-module=/data/software/nginx_module/echo-nginx-module --add-module=/data/software/nginx_module/lua-nginx-module --add-module=/data/software/nginx_module/redis2-nginx-module --add-module=/data/software/nginx_module/set-misc-nginx-module

报错：configure: error: perl module ExtUtils::Embed is required
解决：yum -y install perl-devel perl-ExtUtils-Embed
报错：checking for PCRE library ... not found
yum install pcre-devel  #参考：https://www.chenyudong.com/archives/nginx-install.html

继续：

# make
# make install

[root@centos-03 conf]# /data/conf/nginx/sbin/nginx -t
报错：
/data/conf/nginx/sbin/nginx: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory

解决：

ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

至此nginx安装完成
由于之前用yum安装过nginx，先停掉
/etc/init.d/nginx stop

三、配置nginx

/data/conf/nginx/sbin/nginx

浏览器打开 http://192.168.1.3/  

vi /etc/rc.d/init.d/nginx_lua.sh
写入nginx_lua.sh文件

#!/bin/bash
# Tengine Startup script# processname: nginx
# chkconfig: - 85 15
# description: nginx is a World Wide Web server. It is used to serve
# pidfile: /data/conf/nginx/logs/nginx.pid
# config: /data/conf/nginx/conf/nginx.conf
nginxd=/data/conf/nginx/sbin/nginx
nginx_config=/data/conf/nginx/conf/nginx.conf
nginx_pid=/data/conf/nginx/logs/nginx.pid
RETVAL=0
prog="nginx"
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -x $nginxd ] || exit 0
# Start nginx daemons functions.
start() {
if [ -e $nginx_pid ];then
echo "tengine already running...."
exit 1
fi
echo -n $"Starting $prog: "
daemon $nginxd -c ${nginx_config}
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/nginx
return $RETVAL
}
# Stop nginx daemons functions.
stop() {
echo -n $"Stopping $prog: "
killproc $nginxd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/nginx /data/conf/nginx/logs/nginx.pid
}
reload() {
echo -n $"Reloading $prog: "
#kill -HUP `cat ${nginx_pid}`
killproc $nginxd -HUP
RETVAL=$?
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
stop
start
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|reload|status|help}"
exit 1
esac
exit $RETVAL

设置开机启动：

chmod 775 /etc/rc.d/init.d/nginx_lua
chkconfig  --level 012345 nginx_lua on

可以使用：

service nginx_lua start
service nginx_lua stop
/etc/rc.d/init.d/nginx_lua help

简单配置：

vi /data/conf/nginx/conf/nginx.conf
location ~* ^/funet8 {
      default_type 'text/plain';
      content_by_lua 'ngx.say("hello, world")';
}

浏览器打开 http://192.168.1.3/funet8

会出现“hello,world”

安装lua-resty-redis组件
lua-resty-redis是一个Lua Redis API，是openresty的一个组件
下载代码，并将其移动到nginx目录，便于管理

git clone https://github.com/openresty/lua-resty-redis.git

mv lua-resty-redis /data/conf/nginx/
打开nginx配置文件，并引用Lua Redis API

四、连接Redis

安装Redis：https://www.funet8.com/2941.html

新建一个lua文件，编写如下测试代码

mkdir -p /data/conf/lua/redis/
vi /data/conf/lua/redis/connect_redis_test.lua --引用redis模块
写入以下内容

redis = require('resty.redis')
--连接Redis
redis_init = redis.new()
redis_init:set_timeout(1000)
redis_init:connect("127.0.0.1","6379")
--如果设置了auth
--redis_init:auth('123456')
--增加数据
resp = redis_init:set('name', 'xiaofan')
--查找数据
resp = redis_init:get('name')
ngx.say(resp)

vi /data/conf/nginx/conf/nginx.conf
增加以下内容
 location /connect_redis_test {
                access_by_lua_file "/data/conf/lua/redis/connect_redis_test.lua";
        }

重启nginx之后，打开页面：

http://192.168.1.3/connect_redis_test
显示“xiaofan”则成功，不成功就查看日志排错。

测试：

[root@centos-03]# redis-cli -h 127.0.0.1 -p 6379
127.0.0.1:6379> get name
"xiaofan"
127.0.0.1:6379> 

至此nginx+lua+redis安装完成。

下一次讲配置自定义防火墙：https://www.funet8.com/3070.html