第一篇:Web服務(wù)器(Nginx)控制用戶(hù)訪(fǎng)問(wèn)頻率的解決方案(大全)
Web服務(wù)器(Nginx)控制用戶(hù)訪(fǎng)問(wèn)頻率的解決方案
Nginx來(lái)處理訪(fǎng)問(wèn)控制的方法有多種,實(shí)現(xiàn)的效果也有多種,訪(fǎng)問(wèn)IP段,訪(fǎng)問(wèn)內(nèi)容限制,訪(fǎng)問(wèn)頻率限制等。用Nginx+Lua+Redis來(lái)做訪(fǎng)問(wèn)限制主要是考慮到高并發(fā)環(huán)境下快速訪(fǎng)問(wèn)控制的需求。Nginx處理請(qǐng)求的過(guò)程一共劃分為11個(gè)階段,分別是:
post-read、server-rewrite、find-config、rewrite、post-rewrite、preaccess、access、post-access、try-files、content、log.在openresty中,可以找到:
set_by_lua,access_by_lua,content_by_lua,rewrite_by_lua等方法。那么訪(fǎng)問(wèn)控制應(yīng)該是,access階段。
1.解決思路
按照正常的邏輯思維,我們會(huì)想到的訪(fǎng)問(wèn)控制方案如下: 1.檢測(cè)是否被forbidden?
=》是,forbidden是否到期:是,清除記錄,返回200,正常訪(fǎng)問(wèn);否,返回403; =》否,返回200,正常訪(fǎng)問(wèn)
2.每次訪(fǎng)問(wèn),訪(fǎng)問(wèn)用戶(hù)的訪(fǎng)問(wèn)頻率+1處理
3.檢測(cè)訪(fǎng)問(wèn)頻率是否超過(guò)限制,超過(guò)即添加forbidden記錄,返回403 這是簡(jiǎn)單地方案,還可以添加點(diǎn)枝枝葉葉,訪(fǎng)問(wèn)禁止時(shí)間通過(guò)算法導(dǎo)入,每次凹曲線(xiàn)增加。
2.Config 首先為nginx添加vhost配置文件,vhost.conf部分內(nèi)容如下: 2 3 4 lua_package_path “/usr/local/openresty/lualib/?.lua;;”;#告訴openresty庫(kù)地址 lua_package_cpath “/usr/local/openresty/lualib/?.so;;”;5 6 7 8 9 10 11 12 13 14 error_log /usr/local/openresty/nginx/logs/openresty.debug.log debug;
server { listen 8080 default;server_namelocalhost;root /www.tmdps.cn的做法,redis存儲(chǔ)方案只做簡(jiǎn)單地string存儲(chǔ)就足夠了。key分別是: 用戶(hù)登錄記錄:user:127.0.0.1:time(unix時(shí)間戳)訪(fǎng)問(wèn)限制:block:127.0.0.1 先連接Redis吧:
local red = redis:new()1 2 3 4 5 6 7 8 functionM:redis()red:set_timeout(1000)local ok, err = red:connect(“127.0.0.1”, 6379)if not ok then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)end end 按照我們的邏輯方案,第二步是,檢測(cè)是否forbidden,下面我們就檢測(cè)block:127.0.0.1,如果搜索到數(shù)據(jù),檢測(cè)時(shí)間是否過(guò)期,未過(guò)期返回403,否則直接返回200:
function M:check1()1 2 3 4 5 6 7 8 9 10 11 12 13 local time=os.time()--system time local res, err = red:get(“block:”..ngx.var.remote_addr)if not res then--redis error
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)--redis get data error end
if type(res)== “string” then--if red not null then type(red)==string
iftonumber(res)>= tonumber(time)then--check if forbidden expired
ngx.exit(ngx.HTTP_FORBIDDEN)
--ngx.say(“forbidden”)
end end } 接下來(lái)會(huì)做檢測(cè),是否訪(fǎng)問(wèn)頻率過(guò)高,如果過(guò)高,要拉到黑名單的,實(shí)現(xiàn)的方法是,檢測(cè)user:127.0.0.1:time的值是否超標(biāo): 2 3 4 5 6 7 8 9 10 11 12 13 function M:check2()local time=os.time()--system time local res, err = red:get(“user:”..ngx.var.remote_addr..“:”..time)if not res then--redis error
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)--redis get data error end 14 15
if type(res)== “string” then
iftonumber(res)>= 10 then--attack, 10 times request/s
red:del(“block:”..self.ip)
red:set(“block:”..self.ip, tonumber(time)+5*60)--set block time
ngx.exit(ngx.HTTP_FORBIDDEN)
end end end 最后呢,還要記得,把每次訪(fǎng)問(wèn)時(shí)間做一個(gè)自增長(zhǎng),user:127.0.0.1:time: 2 3 4 5 functionM:add()local time=os.time()--system time 6 7 ok, err = red:incr(“user:”..ngx.var.remote_addr..“:”..time)if not ok then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)--redis get data error end end 那么,測(cè)試,強(qiáng)刷幾次瀏覽器,發(fā)現(xiàn)過(guò)一會(huì),返回了403,ok,搞定。
第二篇:45-基于SSID的Web界面訪(fǎng)問(wèn)控制典型配置舉例
基于SSID的Web界面訪(fǎng)問(wèn)控制典型配置舉例
Copyright ? 2014 杭州華三通信技術(shù)有限公司 版權(quán)所有,保留一切權(quán)利。
非經(jīng)本公司書(shū)面許可,任何單位和個(gè)人不得擅自摘抄、復(fù)制本文檔內(nèi)容的部分或全部,并不得以任何形式傳播。本文檔中的信息可能變動(dòng),恕不另行通知。
目 錄 簡(jiǎn)介 ······························································································································· 1 2 配置前提 ························································································································· 1 3 配置舉例 ························································································································· 1
3.1 組網(wǎng)需求 ······················································································································ 1 3.2 配置思路 ······················································································································ 1 3.3 配置注意事項(xiàng) ················································································································ 1 3.4 配置步驟 ······················································································································ 2
3.4.1 AC的配置 ··········································································································· 2 3.4.2 Switch的配置 ······································································································ 4 3.5 驗(yàn)證配置 ······················································································································ 4 3.6 配置文件 ······················································································································ 6 相關(guān)資料 ························································································································· 7
i 1 簡(jiǎn)介
本文檔介紹基于SSID的Web界面訪(fǎng)問(wèn)控制的典型配置舉例。配置前提
本文檔不嚴(yán)格與具體軟、硬件版本對(duì)應(yīng),如果使用過(guò)程中與產(chǎn)品實(shí)際情況有差異,請(qǐng)參考相關(guān)產(chǎn)品手冊(cè),或以設(shè)備實(shí)際情況為準(zhǔn)。
本文檔中的配置均是在實(shí)驗(yàn)室環(huán)境下進(jìn)行的配置和驗(yàn)證,配置前設(shè)備的所有參數(shù)均采用出廠時(shí)的缺省配置。如果您已經(jīng)對(duì)設(shè)備進(jìn)行了配置,為了保證配置效果,請(qǐng)確認(rèn)現(xiàn)有配置和以下舉例中的配置不沖突。
本文檔假設(shè)您已了解WLAN接入,WLAN ACL和HTTP特性。配置舉例
3.1 組網(wǎng)需求
如圖1所示,AC通過(guò)Switch與AP相連,DHCP服務(wù)器為AP和Client分配IP地址。需要控制不同SSID接入的無(wú)線(xiàn)客戶(hù)端通過(guò)Web頁(yè)面對(duì)AC的訪(fǎng)問(wèn)權(quán)限,具體實(shí)現(xiàn)如下:
? ? 當(dāng)Client通過(guò)名為“service2”的SSID接入無(wú)線(xiàn)網(wǎng)絡(luò)時(shí),可以通過(guò)Web訪(fǎng)問(wèn)AC。而當(dāng)Client通過(guò)名為“service1”的SSID接入時(shí),不能通過(guò)Web訪(fǎng)問(wèn)AC。
圖1 基于SSID的Web界面訪(fǎng)問(wèn)控制組網(wǎng)圖
DHCP serverGE1/0/3Vlan-int100192.168.1.1/24Vlan-int300192.168.3.1/24GE1/0/1GE1/0/2ACSwitchAPClient
3.2 配置思路
為了使關(guān)聯(lián)SSID為service2的Client能夠通過(guò)Web訪(fǎng)問(wèn)AC,需要在AC上配置WLAN ACL,僅允許關(guān)聯(lián)SSID為service2的Client報(bào)文通過(guò),并將HTTP服務(wù)與WLAN ACL相關(guān)聯(lián)。
3.3 配置注意事項(xiàng)
? WLAN ACL中有默認(rèn)規(guī)則rule 0 deny,需要執(zhí)行undo rule 0命令刪除該默認(rèn)規(guī)則。? 配置AP的序列號(hào)時(shí)請(qǐng)確保該序列號(hào)與AP唯一對(duì)應(yīng),AP的序列號(hào)可以通過(guò)AP設(shè)備背面的標(biāo)簽獲取。
3.4 配置步驟
3.4.1 AC的配置
(1)配置AC接口
# 創(chuàng)建VLAN 100及其對(duì)應(yīng)的VLAN接口,并為該接口配置IP地址。AC將使用該接口的IP地址與AP建立LWAPP隧道。
[AC] vlan 200 [AC-vlan200] quit # 創(chuàng)建VLAN 300作為Client接入的業(yè)務(wù)VLAN,配置VLAN 300的接口IP地址。
[AC] vlan 300 [AC-vlan300] quit [AC] interface vlan-interface 300 [AC-Vlan-interface300] ip address 192.168.3.1 24 [AC-Vlan-interface300] quit # 配置GigabitEthernet1/0/1為T(mén)runk類(lèi)型,禁止VLAN 1報(bào)文通過(guò),允許VLAN 100和VLAN 300通過(guò),配置PVID為100。
[AC] interface gigabitethernet 1/0/1 [AC-GigabitEthernet1/0/1] port link-type trunk [AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [AC-GigabitEthernet1/0/1] port trunk permit vlan 100 300 [AC-GigabitEthernet1/0/1] port trunk pvid vlan 100 [AC-GigabitEthernet1/0/1] quit # 創(chuàng)建WLAN-ESS1接口,并設(shè)置端口的鏈路類(lèi)型為Hybrid類(lèi)型。
[AC] interface wlan-ess 1 [AC-WLAN-ESS1] port link-type hybrid # 配置當(dāng)前Hybrid端口的PVID為VLAN 200,禁止VLAN 1通過(guò)并允許VLAN 200不帶tag通過(guò)。
[AC-WLAN-ESS1] undo port hybrid vlan 1 [AC-WLAN-ESS1] port hybrid vlan 200 untagged [AC-WLAN-ESS1] port hybrid pvid vlan 200 # 使能MAC VLAN功能。
[AC-WLAN-ESS1] mac-vlan enable [AC-WLAN-ESS1] quit # 創(chuàng)建WLAN-ESS2接口,并設(shè)置端口的鏈路類(lèi)型為Hybrid類(lèi)型。[AC] interface wlan-ess 2 [AC-WLAN-ESS2] port link-type hybrid # 配置當(dāng)前Hybrid端口的PVID為VLAN 200,禁止VLAN 1通過(guò)并允許VLAN 200不帶tag通過(guò)。
[AC-WLAN-ESS2] undo port hybrid vlan 1 [AC-WLAN-ESS2] port hybrid vlan 200 untagged [AC-WLAN-ESS2] port hybrid pvid vlan 200 # 使能MAC VLAN功能。
[AC-WLAN-ESS2] mac-vlan enable [AC-WLAN-ESS2] quit(2)配置無(wú)線(xiàn)服務(wù)
# 創(chuàng)建clear類(lèi)型的服務(wù)模板1。
[AC] wlan service-template 1 clear # 設(shè)置當(dāng)前服務(wù)模板的SSID為service1。
[AC-wlan-st-1] ssid service1 # 將WLAN-ESS1接口綁定到服務(wù)模板1。
[AC-wlan-st-1] bind wlan-ess 1 # 啟用無(wú)線(xiàn)服務(wù)。
[AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # 創(chuàng)建clear類(lèi)型的服務(wù)模板2。
[AC] wlan service-template 2 clear # 設(shè)置當(dāng)前服務(wù)模板的SSID為service2。
[AC-wlan-st-2] ssid service2 # 將WLAN-ESS2接口綁定到服務(wù)模板2。
[AC-wlan-st-2] bind wlan-ess 2 # 啟用無(wú)線(xiàn)服務(wù)。
[AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit(3)配置射頻接口并綁定服務(wù)模板
# 創(chuàng)建AP的管理模板,名稱(chēng)為officeap,型號(hào)選擇WA2620E-AGN。
[AC] wlan ap officeap model WA2620E-AGN # 設(shè)置AP的序列號(hào)為210235A29G007C000020。
[AC-wlan-ap-officeap] serial-id 210235A29G007C000020 # 進(jìn)入radio 2射頻視圖。
[AC-wlan-ap-officeap] radio 2 # 將在AC上配置的clear類(lèi)型的服務(wù)模板1和服務(wù)模板2與射頻2進(jìn)行關(guān)聯(lián),設(shè)置綁定到射頻接口的VLAN編號(hào)為VLAN 300。
[AC-wlan-ap-officeap-radio-2] service-template 1 vlan-id 300 [AC-wlan-ap-officeap-radio-2] service-template 2 vlan-id 300 # 使能AP的radio 2。
[AC-wlan-ap-officeap-radio-2] radio enable [AC-wlan-ap-officeap-radio-2] quit(4)配置WLAN ACL # 創(chuàng)建WLAN ACL 199,并刪除ACL 199中的默認(rèn)規(guī)則0。
[AC] acl number 199 [AC-acl-wlan-199] undo rule 0 # 配置規(guī)則1:允許SSID名稱(chēng)為service2的WLAN用戶(hù)報(bào)文通過(guò)。
[AC-acl-wlan-199] rule 1 permit ssid service2 [AC-acl-wlan-199] quit # 將HTTP服務(wù)與ACL 199關(guān)聯(lián)。
[AC] ip http acl 199 3.4.2 Switch的配置
# 創(chuàng)建VLAN 100和VLAN 300,其中VLAN 100用于轉(zhuǎn)發(fā)AC和AP間LWAPP隧道內(nèi)的流量,VLAN 300為無(wú)線(xiàn)客戶(hù)端接入的VLAN。
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 300 [Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100 [Switch-GigabitEthernet1/0/1] quit # 配置Switch與AP相連的GigabitEthernet1/0/2接口屬性為Access,并允許VLAN 100通過(guò)。
[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type access [Switch-GigabitEthernet1/0/2] port access vlan 100 # 配置Switch與AP相連的GigabitEthernet1/0/2接口使能PoE功能。
[Switch-GigabitEthernet1/0/2] poe enable [Switch-GigabitEthernet1/0/2] quit # 配置Switch與DHCP服務(wù)器相連的GigabitEthernet1/0/3接口屬性為Access,并允許VLAN 100通過(guò)。
[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] port link-type access [Switch-GigabitEthernet1/0/3] port access vlan 100 [Switch-GigabitEthernet1/0/3] quit 3.5 驗(yàn)證配置
# 無(wú)線(xiàn)客戶(hù)端關(guān)聯(lián)SSID service2后,可以通過(guò)Web正常訪(fǎng)問(wèn)AC。
# 無(wú)線(xiàn)客戶(hù)端關(guān)聯(lián)SSID service1后,無(wú)法通過(guò)Web訪(fǎng)問(wèn)AC。3.6 配置文件
? AC:
# ip http acl 199 # acl number 199 rule 1 permit ssid service2 # vlan 100 # vlan 200 # vlan 300 # wlan service-template 1 clear ssid service1 bind WLAN-ESS 1 service-template enable # wlan service-template 2 clear ssid service2 bind WLAN-ESS 2 service-template enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 300 undo port trunk permit vlan 1 port trunk pvid vlan 100 # interface Vlan-interface100 ip address 192.168.1.1 255.255.255.0 # interface Vlan-interface300 ip address 192.168.3.1 255.255.255.0 # interface WLAN-ESS1 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # interface WLAN-ESS2 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # wlan ap officeap model WA2620E-AGN id 1 serial-id 210235A29G007C000020 radio 1 radio 2 service-template 1 vlan-id 300 service-template 2 vlan-id 300 radio enable # ?
# Switch:
vlan 100 # vlan 300 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 300 undo port trunk permit vlan 1 port trunk pvid vlan 100 # interface GigabitEthernet1/0/2 port link-type access port access vlan 100 poe enable # interface GigabitEthernet1/0/3 port link-type access port access vlan 100 # 4 相關(guān)資料
? ? ? ? ? ? 《H3C WX系列無(wú)線(xiàn)控制器產(chǎn)品配置指導(dǎo)》“基礎(chǔ)配置指導(dǎo)”。《H3C WX系列無(wú)線(xiàn)控制器產(chǎn)品命令參考》“基礎(chǔ)配置命令參考”。《H3C WX系列無(wú)線(xiàn)控制器產(chǎn)品配置指導(dǎo)》“ACL和QoS配置指導(dǎo)”。《H3C WX系列無(wú)線(xiàn)控制器產(chǎn)品命令參考》“ACL和QoS命令參考”。《H3C WX系列無(wú)線(xiàn)控制器產(chǎn)品配置指導(dǎo)》“WLAN配置指導(dǎo)”。《H3C WX系列無(wú)線(xiàn)控制器產(chǎn)品命令參考》“WLAN命令參考”。
點(diǎn)擊咨詢(xún) 