• Centos7安装Openresty


    通过yum安装

    在 /etc/yum.repos.d/ 下新建 OpenResty.repo 内容

    [openresty]
    name=Official OpenResty Repository
    baseurl=https://copr-be.cloud.fedoraproject.org/results/openresty/openresty/epel-$releasever-$basearch/
    skip_if_unavailable=True
    gpgcheck=1
    gpgkey=https://copr-be.cloud.fedoraproject.org/results/openresty/openresty/pubkey.gpg
    enabled=1
    enabled_metadata=1

    查看可用的openresty软件

    yum --disablerepo="*" --enablerepo="openresty" list available

    当前安装的是 openresty.x86_64 版本1.11.2.2-8.el7.centos, 内置的openssl 是 1.0.2j

    安装

    yum install openresty

    默认会安装到 /usr/local/openresty/ 目录下, 目录下包含了 luajit, lualib, nginx, openssl, pcre, zlib 这些组件

    如果安装时显示Require GeoIP, 需要先安装geoip后再安装openresty

    yum install epel-release
    yum --enablerepo=epel install geoip

    使用命令行直接启动

    /usr/local/openresty/nginx/sbin/nginx -c /usr/local/openresty/nginx/conf/nginx.conf

    OpenResty安装时, 已经把路径加入了/usr/bin, 并且添加了服务 /etc/init.d/openresty, 可以通过服务脚本启动

    systemctl start/stop/status openresty

    可以通过-p参数设置工作目录, 对应nginx的conf, html, log都可以放到这个目录下

    openresty -p /opt/my-fancy-app/

    防火墙检查和配置

    # 查看状态
    systemctl status firewalld
    # 查看开放的端口
    firewall-cmd --zone=public --list-all
    # 添加80端口
    firewall-cmd --permanent --zone=public --add-port=80/tcp
    firewall-cmd --reload

    Update 2018-07-17: 如果使用了-p参数, 将工作区间指向了其他目录, 那么在配置nginx.conf时, 需要将 user  nobody 修改为其他用户, 例如新建用户nginx, 或openresty, 或tomcat, 如果直接用nobody, 会导致启动进程一直被阻塞, 在/var/log/secure里能看到类似如下的权限错误

    Unregistered Authentication Agent for unix-process:17339:1142872114 (system bus name :1.389659, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8) (disconnected from bus)

    配置Openresty结合Redis进行IP封禁

    修改 nginx.conf, 因为使用的是Openresty的安装包, 所以不需要在前面再设置模块路径, 可以直接引用

    # http 下增加
    lua_shared_dict ip_blacklist 1m;
    
    # server 下增加
            location /ipblacklist {
                access_by_lua_file lua/ip_blacklist.lua;
                default_type text/html;
                content_by_lua '
                    ngx.say("<p>Hello, this is lua.</p>")
                ';
            }

    在/usr/local/openresty/nginx/lua下新建 ip_blacklist.lua

    -- a quick LUA access script for nginx to check IP addresses against an
    -- `ip_blacklist` set in Redis, and if a match is found send a HTTP 403.
    --
    -- allows for a common blacklist to be shared between a bunch of nginx
    -- web servers using a remote redis instance. lookups are cached for a
    -- configurable period of time.
    --
    -- block an ip:
    --   redis-cli SADD ip_blacklist 10.1.1.1
    -- remove an ip:
    --   redis-cli SREM ip_blacklist 10.1.1.1
    --
    -- also requires lua-resty-redis from:
    --   https://github.com/agentzh/lua-resty-redis
    --
    -- your nginx http context should contain something similar to the
    -- below: (assumes resty/redis.lua exists in /etc/nginx/lua/)
    --
    --   lua_package_path "/etc/nginx/lua/?.lua;;";
    --   lua_shared_dict ip_blacklist 1m;
    --
    -- you can then use the below (adjust path where necessary) to check
    -- against the blacklist in a http, server, location, if context:
    --
    -- access_by_lua_file /etc/nginx/lua/ip_blacklist.lua;
    --
    -- from https://gist.github.com/chrisboulton/6043871
    -- modify by Ceelog
    
    local redis_host    = "192.168.1.18"
    local redis_port    = 6379
    local redis_auth    = "foobar"
    local redis_db       = 3
    
    -- connection timeout for redis in ms. don't set this too high!
    local redis_connection_timeout = 100
    
    -- check a set with this key for blacklist entries
    local redis_key     = "ip_blacklist"
    
    -- cache lookups for this many seconds
    local cache_ttl     = 60
    
    -- end configuration
    
    ngx.log(ngx.DEBUG, "Redis host: " .. redis_host);
    
    local ip                = ngx.var.remote_addr
    local ip_blacklist     = ngx.shared.ip_blacklist
    local last_update_time     = ip_blacklist:get("last_update_time");
    
    -- only update ip_blacklist from Redis once every cache_ttl seconds:
    if last_update_time == nil or last_update_time < ( ngx.now() - cache_ttl ) then
    
      local redis = require "resty.redis";
      local red = redis:new();
    
      red:set_timeout(redis_connect_timeout);
    
      local ok, err = red:connect(redis_host, redis_port);
      if not ok then
        ngx.log(ngx.DEBUG, "Redis connection error while retrieving ip_blacklist: " .. err);
      else
        local ok, err = red:auth(redis_auth);
        if not ok then
          ngx.log(ngx.DEBUG, "Redis auth error while retrieving ip_blacklist:" .. err);
        end
        red:select(redis_db);
        local new_ip_blacklist, err = red:smembers(redis_key);
        if err then
          ngx.log(ngx.DEBUG, "Redis read error while retrieving ip_blacklist: " .. err);
        else
          -- replace the locally stored ip_blacklist with the updated values:
          ip_blacklist:flush_all();
          for index, banned_ip in ipairs(new_ip_blacklist) do
            ip_blacklist:set(banned_ip, true);
          end
    
          -- update time
          ip_blacklist:set("last_update_time", ngx.now());
        end
      end
    end
    
    if ip_blacklist:get(ip) then
      ngx.log(ngx.DEBUG, "Banned IP detected and refused access: " .. ip);
      return ngx.exit(ngx.HTTP_FORBIDDEN);
    end

    因为这里设置了缓存, 60s更新一次, 所以不需要再使用redis pool, 如果需要使用pool, 可以参考

    https://github.com/openresty/lua-resty-redis#synopsis

    # you do not need the following line if you are using
    # the OpenResty bundle:
    lua_package_path "/path/to/lua-resty-redis/lib/?.lua;;";
    
    server {
        location /test {
            content_by_lua_block {
                local redis = require "resty.redis"
                local red = redis:new()
    
                red:set_timeout(1000) -- 1 sec
    
                -- or connect to a unix domain socket file listened
                -- by a redis server:
                --     local ok, err = red:connect("unix:/path/to/redis.sock")
    
                local ok, err = red:connect("127.0.0.1", 6379)
                if not ok then
                    ngx.say("failed to connect: ", err)
                    return
                end
                
                ...
                
                -- put it into the connection pool of size 100,
                -- with 10 seconds max idle time
                local ok, err = red:set_keepalive(10000, 100)
                if not ok then
                    ngx.say("failed to set keepalive: ", err)
                    return
                end
    
                -- or just close the connection right away:
                -- local ok, err = red:close()
                -- if not ok then
                --     ngx.say("failed to close: ", err)
                --     return
                -- end
    ... }

    以及

    如果你想让 A 和 B 这两个不同的 redis 后端分别保持最多 32 个长连接,则在访问 A 或者 B 的 resty.redis 对象上都调用 set_keepalive(0, 32),因为默认情况下不同的 redis 后端拥有不同的连接池。
    
    如果你希望 A 和 B 都共享一个连接池,则可以在 connect() 方法中指定 pool 选项,例如:
        redA:connect("A", 6379, { pool = "my_redis_cluster" })
        redB:connect("B", 6379, { pool = "my_redis_cluster" })
    
    然后在调用 set_keepalive 时使用 64 作为这个 A、B 共享池的连接数上限:
        redA:set_keepalive(0, 64)
        redB:set_keepalive(0, 64)
    
    不过要注意的一点是,连接池是每 worker 的粒度,所以实际每个 redis 后端的总连接数上限还要再用 32 剩上 worker 数。
  • 相关阅读:
    shell脚本获取当前时间
    shell脚本读取用户输入并与之交互
    shell脚本获取客户端IP
    shell脚本中重启tomcat进程
    性能测试经验
    cmdhere的两种方法
    tomcat启动多个应用时报内存溢出
    [kuangbin]带你飞之'连通图'专题
    (模板)解决带负权最短路径 Bellman-ford 与 SPFA(前者的队列优化)
    [kuangbin]带你飞之'最短路练习'专题
  • 原文地址:https://www.cnblogs.com/milton/p/6545448.html
Copyright © 2020-2023  润新知