/nginx_ipset_blacklist

nginx module to use linux netfilter ipsets as blacklists

Primary LanguageC

nginx_ipset_blacklist

An nginx module for using netfilter ipsets as a black/white list. In comparison to standard nginx access module this allows for dynamic list updating, without nginx reload/restart.

Installation

  • Get youself a linux server with root access

  • Install ipset 4.4 (see ipset.netfilter.org/install.html)

  • Get nginx source code, unpack etc.

  • Install libssl-dev, pcre and other nginx requirements

  • Configure nginx with this module:

    ./configure --with-module=/path/to/nginx_ipset_blacklist
  • Compile, install

  • Configure nginx to run workers as root (this is needed to allow access to ipsets)

  • Create yout ipset and add some ‘offending’ ips to it:

    sudo ipset -N myblacklist iphash
    sudo ipset -A myblacklist 127.0.0.1
  • Start nginx

  • Profit!

Usage

Sample nginx config:

user root;
worker_processes  1;

events {
  worker_connections  1024;
}

http {
  blacklist "myblacklist";
  include       mime.types;
  default_type  application/octet-stream;

  server {
    # your server configuration goes here
  }

  server {
    whitelist "my_whitelist"; # this server will not use global blacklist, but instad use local whitelist
    ...
  }
}

For blocked ips server will respond with 403 error to any request.

Author

nginx_ipset_blacklist was written by Vasily Fedoseyev aka Vasfed