Skip to content
nginx module to use linux netfilter ipsets as blacklists
C
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Initial commit Oct 22, 2010
README.rdoc Initial commit Oct 22, 2010
config Initial commit Oct 22, 2010
ip_set.h Initial commit Oct 22, 2010
ipset_read.c Initial commit Oct 22, 2010
ipset_read.h
ngx_http_ipset_blacklist.c disable keepalive and use a 444 status when banning, remove debug print Oct 22, 2010

README.rdoc

nginx_ipset_blacklist

An nginx module for using netfilter ipsets as a black/white list. In comparison to standard nginx access module this allows for dynamic list updating, without nginx reload/restart.

Installation

  • Get youself a linux server with root access

  • Install ipset 4.4 (see ipset.netfilter.org/install.html)

  • Get nginx source code, unpack etc.

  • Install libssl-dev, pcre and other nginx requirements

  • Configure nginx with this module:

    ./configure --with-module=/path/to/nginx_ipset_blacklist
  • Compile, install

  • Configure nginx to run workers as root (this is needed to allow access to ipsets)

  • Create yout ipset and add some 'offending' ips to it:

    sudo ipset -N myblacklist iphash
    sudo ipset -A myblacklist 127.0.0.1
  • Start nginx

  • Profit!

Usage

Sample nginx config:

user root;
worker_processes  1;

events {
  worker_connections  1024;
}

http {
  blacklist "myblacklist";
  include       mime.types;
  default_type  application/octet-stream;

  server {
    # your server configuration goes here
  }

  server {
    whitelist "my_whitelist"; # this server will not use global blacklist, but instad use local whitelist
    ...
  }
}

For blocked ips server will respond with 403 error to any request.

Author

nginx_ipset_blacklist was written by Vasily Fedoseyev aka Vasfed

You can’t perform that action at this time.