2023年6月29日发(作者:)
Nginx基础-Nginx+Lua实现灰度发布与加载Lua环境默认情况下Nginx不⽀持Lua模块, 需要安装LuaJIT解释器, 并且需要重新编译Nginx, 建议使⽤openrestry1)环境准备[root@localhost ~]# yum -y install gcc gcc-c++ make pcre-devel zlib-devel openssl-devel2)下载luajit和ngx_devel_kit以及lua-nginx-module[root@localhost ~]# cd /usr/local/src[root@localhost src]# wget /download/[root@localhost src]# wget /simpl/ngx_devel_kit/archive/[root@localhost src]# wget /openresty/lua-nginx-module/archive/3)解压ngx_devel_kit和lua-nginx-module[root@localhost src]# tar xf
[root@localhost src]# tar xf 4)安装LuaJIT Luajit是Lua即时编译器。[root@localhost src]# tar zxvf
[root@localhost src]# cd LuaJIT-2.0.3[root@localhost LuaJIT-2.0.3]# make && make install5)安装Nginx并加载模块[root@localhost ~]# cd /usr/local/src[root@localhost src]# wget /download/[root@localhost src]# tar xf [root@localhost src]# cd nginx-1.12.2[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-http_dav_module --add-module=../ngx_devel_kit-0.2.19/ --add-module=../lua-nginx-module-0.10.13
[root@localhost nginx-1.12.2]# make -j2 && make install#建⽴软链接, 不建⽴会出现share object错误[root@localhost ~]#ln -s /usr/local/lib/.2 /lib64/.2#加载lua库,加⼊到⽂件[root@localhost ~]# echo "/usr/local/LuaJIT/lib" >> /etc/[root@localhost ~]# 调⽤Lua指令Nginx调⽤Lua模块指令, Nginx的可插拔模块加载执⾏, 共11个处理阶段语法
set_by_luaset_by_lua_file 设置Nginx变量,可以实现负载的赋值逻辑access_by_luaaccess_by_lua_file 请求访问阶段处理, ⽤于访问控制content_by_luacontent_by_lua_file 内容处理器, 接受请求处理并输出响应Nginx调⽤Lua API变量
nginx变量_headers 获取请求头_uri_args 获取url请求参数ct 重定向 输出响应内容体 输出响应内容体,最后输出⼀个换⾏符 输出响应头+Lua实现代码灰度发布使⽤Nginx结合lua实现代码灰度发布按照⼀定的关系区别,分不分的代码进⾏上线,使代码的发布能平滑过渡上线1.⽤户的信息cookie等信息区别2.根据⽤户的ip地址, 颗粒度更⼴执⾏过程:1.⽤户请求到达前端代理Nginx, 内嵌的lua模块会解析Nginx配置⽂件中Lua脚本脚本会获取客户端IP地址,查看Memcached缓存中是否存在该键值3.如果存在则执⾏@java_test,否则执⾏@java_prod4.如果是@java_test, 那么location会将请求转发⾄新版代码的集群组5.如果是@java_prod, 那么location会将请求转发⾄原始版代码集群组6.最后整个过程执⾏后结束实践环境准备:系统 服务 地址CentOS7 Nginx+Lua+Memached 10.0.0.11CentOS7 Tomcat集群8080_Prod 10.0.0.12CentOS7 Tomcat集群9090_Test 10.0.0.131)安装两台服务器Tomcat,分别启动8080和9090端⼝[root@tomcat-node1 ~]# yum install java -y[root@tomcat-node1 ~]# cd /usr/local/src[root@tomcat-node1 src]# wget /apache/tomcat/tomcat-9/v9.0.36/bin/[root@tomcat-node1 src]# tar xf [root@tomcat-node1 src]# cp -r apache-tomcat-9.0.36 /usr/local/tomcat-8080[root@tomcat-node1 src]# /usr/local/tomcat-8080/bin/#tomcat默认监听在8080端⼝, 如果需要启动9090端⼝需要修改配置⽂件2)配置Memcached并让其⽀持Lua调⽤#安装memcached服务[root@localhost ~]# yum install memcached -y#配置memcached⽀持lua[root@localhost ~]# cd /usr/local/src[root@localhost src]# wget /openresty/lua-resty-memcached/archive/[root@localhost src]# tar xf [root@localhost src]# cp -r lua-resty-memcached-0.11/lib/resty/ /usr/local/nginx/lua/#启动memcached[root@localhost ~]# systemctl start memcached[root@localhost ~]# systemctl enable memcached3)配置负载均衡调度#必须在http层lua_package_path "/usr/local/nginx/lua/";upstream java_prod {server 10.0.0.12:8080;}upstream java_test {server 10.0.0.13:9090;}server {listen 80;server_name 10.0.0.11;location /hello {default_type 'text/plain';content_by_lua '("hello ,lua scripts")';}location /myip {default_type 'text/plain';content_by_lua 'clientIP = _headers()["x_forwarded_for"]("Forwarded_IP:",clientIP)if clientIP == nli thenclientIP = _("Remote_IP:",clientIP)end';}location / {default_type 'text/plain';content_by_lua_file /usr/local/nginx/lua/;}location @java_prod {proxy_pass java_prod;include proxy_params;}location @java_test {proxy_pass java_test;include proxy_params;}}#nginx反向代理tomcat,必须配置头部信息否则返回400错误proxy_redirect default;proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_connect_timeout 30;proxy_send_timeout 60;proxy_read_timeout 60;proxy_buffer_size 32k;proxy_buffering on;proxy_buffers 4 128k;proxy_busy_buffers_size 256k;proxy_max_temp_file_size 256k;4)编写Nginx调⽤灰度发布Lua脚本[root@localhost ~]# vim /usr/local/nginx/lua/
--获取x-real-ipclientIP = _headers()["X-Real-IP"]--如果IP为空-取x_forwarded_forif clientIP == nil thenclientIP = _headers()["x_forwarded_for"]end--如果IP为空-取remote_addrif clientIP == nil thenclientIP = _addrend--定义本地,加载memcachedlocal memcached = require "hed"--实例化对象local memc, err = memcached:new()--判断连接是否存在错误if not memc ("failed to instantiate memc: ", err)returnend--建⽴memcache连接local ok, err = memc:connect("127.0.0.1", 11211)--⽆法连接往前端抛出错误信息if not ok ("failed to connect: ", err)returnend--获取对象中的ip-存在值赋给reslocal res, flags, err = memc:get(clientIP)----("value key: ",res,clientIP)if err ("failed to get clientIP ", err)returnend--如果值为1则调⽤local-@java_testif res == "1" ("@java_test")returnend--否则调⽤local-@java_("@java_prod")return5)使⽤Memcache set IP, 测试灰度发布#telnet传⼊值[root@localhost ~]# telnet 127.0.0.1 11211# set对应IPset 10.0.0.10 0 0 1# 输⼊114.基本安全概述1)常见的恶意⾏为爬⾍⾏为和恶意抓取,资源盗取防护⼿段基础防盗链功能不让恶意⽤户能够轻易的爬取⽹站对外数据access_moudle->对后台,部分⽤户服务的数据提供IP防护解决⽅法server {listen 80;server_name localhost;set $ip 0;if ($http_x_forward_for ~ 10.0.0.10){set $ip 1;}if ($remote_addr ~ 10.0.0.10){set $ip 1;}# 如果$ip值为0,则返回403, 否则允许访问location /admin {if ($ip = "0"){return 403;}default_type application/json;return 200 '{"status":"success"}';}2)常见的攻击⼿段(代码植⼊)后台密码撞库,通过猜测密码字典不断对后台系统登陆性尝试,获取后台登陆密码防护⼿段1.后台登陆密码复杂度2.使⽤access_module-对后台提供IP防控3.预警机制⽂件上传漏洞,利⽤上传接⼝将恶意代码植⼊到服务器中,再通过url去访问执⾏代码执⾏⽅式//解决办法location ^~ /upload {root /usr/local/openresty/nginx/html/upload;if ($request_filename ~* (.*).php){return 403;}}3)常见的攻击⼿段(SQL注⼊)利⽤未过滤/未审核的⽤户输⼊进⾏Sql注⼊的攻击⽅法, 让应⽤运⾏本不应该运⾏的SQL代码防护⼿段配置开启安全相关限制2.开发⼈员对sql提交进⾏审核,屏蔽常见的注⼊⼿段+Lua构建WAF应⽤层防⽕墙, 防⽌Sql注⼊+Lua实现WAF应⽤防⽕墙1)快速安装lnmp架构(略)2)配置MySQL[root@localhost ~]# systemctl start mariadb[root@localhost ~]# mysqlMariaDB [(none)]> create database info;MariaDB [(none)]> use info;MariaDB [info]> create table user(id int(11),username varchar(64), password varchar(64), email varchar(64));MariaDB [info]> desc user;+----------+-------------+------+-----+---------+-------+| Field | Type | Null | Key | Default | Extra |+----------+-------------+------+-----+---------+-------+| id | int(11) | YES | | NULL | || username | varchar(64) | YES | | NULL | || password | varchar(64) | YES | | NULL | || email | varchar(64) | YES | | NULL | |+----------+-------------+------+-----+---------+-------+#插⼊数据MariaDB [info]> insert into user (id,username,password,email) values(1,'admin',('123'),'admin@');MariaDB [info]> select * from ;+------+----------+----------------------------------+-----------------+| id | username | password | email |+------+----------+----------------------------------+-----------------+| 1 | admin | 123 | admin@ |+------+----------+----------------------------------+-----------------+1 row in set (0.00 sec)3)配置php代码[root@localhost ~]# vim /usr/local/nginx/html/
";echo $arr[1];echo $arr[3]."
";}else{echo "login failed!";}>4.部署Waf相关防护代码[root@localhost ~]# cd /usr/local/src/[root@localhost src]# git clone /loveshell/ngx_lua_[root@localhost src]# cp -r ngx_lua_waf/ /usr/local/nginx/conf/waf#在的http段添加lua_package_path "/usr/local/nginx/conf/waf/?.lua";lua_shared_dict limit 10m;init_by_lua_file /usr/local/nginx/conf/waf/;
access_by_lua_file /usr/local/nginx/conf/waf/;#配置⾥的waf规则⽬录[root@localhost ~]# vim /usr/local/nginx/conf/waf/ePath = "/usr/local/nginx/conf/waf/wafconf/"#防⽌Sql注⼊[root@localhost ~]# vim /usr/local/nginx/conf/waf/wafconf/postsors+#防⽌CC攻击[root@localhost ~]# vim /usr/local/nginx/conf/waf/eny="on"CCrate="100/60"
发布者:admin,转转请注明出处:http://www.yc00.com/xiaochengxu/1687986732a64075.html
评论列表(0条)