improved blacklist/whitelist/dnsbl with lua

confs/dnsbl.conf

@@ -1,84 +0,0 @@
-access_by_lua_block {
-
-	-- get client IP
-	local ip = ngx.var.remote_addr
-	
-	-- check if IP is in cache
-	local cached = ngx.shared.dnsblcache:get(ip)
-	if cached ~= nil then
-		if cached == "ok" then
-			ngx.exit(ngx.OK)
-		else
-			ngx.exit(ngx.HTTP_FORBIDDEN)
-		end
-	end
-	
-	-- get the reverse DNS
-	local rdns = ""
-	local both = false
-	local resolver = require "resty.dns.resolver"
-	local resolvers = {%DNSBL_RESOLVERS%}
-	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
-	if not r then
-		ngx.exit(ngx.OK)
-	end
-	local answers, err = r:reverse_query(ip)
-	if not answers.errcode then
-		for ak, av in ipairs(answers) do
-			if av.ptrdname then
-				rdns = av.ptrdname
-				break
-			end
-		end
-	end
-	if rdns ~= "" then
-		local answers, err, tries = r:query(rdns, nil, {})
-		for ak, av in ipairs(answers) do
-			if av.address and av.address == ip then
-				both = true
-				break
-			end
-		end
-	end
-	
-	-- check if it's a legitimate SE crawler 
-	local ips = {"23.21.227.69", "40.88.21.235", "50.16.241.113", "50.16.241.114", "50.16.241.117", "50.16.247.234", "52.204.97.54", "52.5.190.19", "54.197.234.188", "54.208.100.253", "54.208.102.37", "107.21.1.8"}
-	local domains = {".googlebot.com", ".google.com", ".search.msn.com", ".crawl.yahoot.net", ".crawl.baidu.jp", ".crawl.baidu.com", ".yandex.com", ".yandex.ru", ".yandex.net"}
-	for k, v in pairs(ips) do
-		if v == ip then
-			ngx.shared.dnsblcache:set(ip, "ok", 86400)
-			ngx.exit(ngx.OK)
-		end
-	end
-	if both and rdns ~= "" then
-		for k, v in pairs(domains) do
-			if rdns:sub(-#v) == v then
-				ngx.shared.dnsblcache:set(ip, "ok", 86400)
-				ngx.exit(ngx.OK)
-			end
-		end
-	end
-	
-	-- dnsbl check
-	local dnsbls = {%DNSBL_LIST%}
-	for k, v in pairs(dnsbls) do
-		local name = resolver.arpa_str(ip)
-		name = name:gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "") .. "." .. v
-		local answers, err, tries = r:query(name, nil, {})
-		if not answers.errcode then 
-			for ak, av in ipairs(answers) do
-				if av.address then
-					a,b,c,d = av.address:match("([%d]+).([%d]+).([%d]+).([%d]+)")
-					if a == "127" then
-						ngx.shared.dnsblcache:set(ip, "dnsbl", 86400)
-						ngx.exit(ngx.HTTP_FORBIDDEN)
-					end
-				end
-			end
-		end
-	end
-	
-	-- legitimate user
-	ngx.shared.dnsblcache:set(ip, "ok", 86400)
-	ngx.exit(ngx.OK)
-}

confs/main-lua.conf

@@ -0,0 +1,72 @@
+access_by_lua_block {
+
+local use_whitelist_ip			= %USE_WHITELIST_IP%
+local use_whitelist_reverse		= %USE_WHITELIST_REVERSE%
+local use_blacklist_ip			= %USE_BLACKLIST_IP%
+local use_blacklist_reverse		= %USE_BLACKLIST_REVERSE%
+local use_dnsbl				= %USE_DNS%
+
+-- include LUA code
+local whitelist = require "whitelist"
+local blacklist = require "blacklist"
+local dnsbl	= require "dnsbl"
+
+-- check if already in whitelist cache
+if use_whitelist_ip and whitelist.ip_cached_ok() then
+	ngx.exit(ngx.OK)
+end
+if use_whitelist_reverse and whitelist.reverse_cached_ok() then
+	ngx.exit(ngx.OK)
+end
+
+-- check if already in blacklist cache
+if use_blacklist_ip and blacklist.ip_cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+if use_blacklist_reverse and blacklist.reverse_cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if already in dnsbl cache
+if use_dnsbl and dnsbl.cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if IP is whitelisted (only if not in cache)
+if use_whitelist_ip and not whitelist.ip_cached() then
+	if whitelist.check_ip() then
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if reverse is whitelisted (only if not in cache)
+if use_whitelist_reverse and not whitelist.reverse_cached() then
+	if whitelist.check_reverse() then
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if IP is blacklisted (only if not in cache)
+if use_blacklist_ip and not blacklist.ip_cached() then
+	if blacklist.check_ip() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if reverse is blacklisted (only if not in cache)
+if use_blacklist_reverse and not blacklist.reverse_cached() then
+	if blacklist.check_reverse() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in DNSBLs (only if not in cache)
+if use_dnsbl and not dnsbl.cached() then
+	if dnsbl.check() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+ngx.exit(ngx.OK)
+
+}

confs/nginx.conf

@@ -65,10 +65,14 @@ http {
 	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
 	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
 
-	# lua path
+	# lua path and dicts
 	lua_package_path "/usr/local/lib/lua/?.lua;;";
+	%WHITELIST_IP_CACHE%
+	%WHITELIST_REVERSE_CACHE%
+	%BLACKLIST_IP_CACHE%
+	%BLACKLIST_REVERSE_CACHE%
 	%DNSBL_CACHE%
-
+	
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
 

confs/server.conf

@@ -1,5 +1,6 @@
 server {
 	include /server-confs/*.conf;
+	include /etc/nginx/main-lua.conf;
 	%LISTEN_HTTP%
 	%USE_HTTPS%
 	%REDIRECT_HTTP_TO_HTTPS%
@@ -11,7 +12,6 @@ server {
 		return 405;
 	}
 	%LIMIT_REQ%
-	%DNSBL%
 	%AUTH_BASIC%
 	%USE_PHP%
 	%HEADER_SERVER%