An nginx module for using netfilter ipsets as a black/white list. In comparison to standard nginx access module this allows for dynamic list updating, without nginx reload/restart.
-
Get youself a linux server with root access
-
Install ipset 7.17 (see ipset.netfilter.org/install.html)
-
Get nginx source code, unpack etc.
-
Install libssl-dev, pcre and other nginx requirements
-
Configure nginx with this module:
./configure --add-dynamic-module=/path/to/nginx_ipset_blacklist
-
Compile, install
-
Create yout ipset and add some ‘offending’ ips to it:
sudo ipset -N myblacklist iphash sudo ipset -A myblacklist 127.0.0.1
-
Start nginx
-
Profit!
Sample nginx config:
worker_processes 1;
events {
worker_connections 1024;
}
http {
blacklist "myblacklist" "myblacklist6";
include mime.types;
default_type application/octet-stream;
server {
# your server configuration goes here
}
server {
whitelist "my_whitelist" "my_whitelist6"; # this server will not use global blacklist, but instad use local whitelist
...
}
}
For blocked ips server will respond with 403 error to any request.
nginx_ipset_blacklist was written by Vasily Fedoseyev aka Vasfed