An nginx module for using netfilter ipsets as a black/white list. In comparison to standard nginx access module this allows for dynamic list updating, without nginx reload/restart.
-
Get youself a linux server with root access
-
Install ipset 4.4 (see ipset.netfilter.org/install.html)
-
Get nginx source code, unpack etc.
-
Install libssl-dev, pcre and other nginx requirements
-
Configure nginx with this module:
./configure --with-module=/path/to/nginx_ipset_blacklist
-
Compile, install
-
Configure nginx to run workers as root (this is needed to allow access to ipsets)
-
Create yout ipset and add some ‘offending’ ips to it:
sudo ipset -N myblacklist iphash sudo ipset -A myblacklist 127.0.0.1
-
Start nginx
-
Profit!
Sample nginx config:
user root;
worker_processes 1;
events {
worker_connections 1024;
}
http {
blacklist "myblacklist";
include mime.types;
default_type application/octet-stream;
server {
# your server configuration goes here
}
server {
whitelist "my_whitelist"; # this server will not use global blacklist, but instad use local whitelist
...
}
}
For blocked ips server will respond with 403 error to any request.
nginx_ipset_blacklist was written by Vasily Fedoseyev aka Vasfed