improved blacklist/whitelist/dnsbl with lua

lua/blacklist.lua

@@ -0,0 +1,45 @@
+local dns		= require "dns"
+local ip_list 		= {%BLACKLIST_IP_LIST%}
+local reverse_list	= {%BLACKLIST_REVERSE_LIST%}
+local ip		= ngx.var.remote_addr
+
+function ip_cached_ko ()
+	return ngx.shared.blacklist_ip_cache:get(ip) == "ko"
+end
+
+function reverse_cached_ko ()
+	return ngx.shared.blacklist_reverse_cache:get(ip) == "ko"
+end
+
+function ip_cached ()
+	return ngx.shared.blacklist_ip_cache:get(ip) ~= nil
+end
+
+function reverse_cached ()
+	return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil
+end
+
+function check_ip ()
+	for k, v in ipairs(ip_list) do
+		if v == ip then
+			ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
+			return true
+		end
+	end
+	ngx.shared.blacklist_ip_cache:set(ip, "ok", 86400)
+	return false
+end
+
+function check_reverse ()
+	local rdns = dns.get_reverse()
+	if rdns ~= "" then
+		for k, v in ipairs(reverse_list) do
+			if rdns:sub(-#v) == v then
+				ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
+				return true
+			end
+		end
+	end
+	ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400)
+	return false
+end

lua/dns.lua

@@ -0,0 +1,40 @@
+local resolver	= require "resty.dns.resolver"
+local resolvers	= {%DNS_RESOLVERS%}
+local ip	= ngx.var.remote_addr
+
+function get_reverse()
+	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
+	if not r then
+		return ""
+	end
+	local rdns = ""
+	local answers, err = r:reverse_query(ip)
+	if not answers.errcode then
+		for ak, av in ipairs(answers) do
+			if av.ptrdname then
+				rdns = av.ptrdname
+				break
+			end
+		end
+	end
+	return rdns
+end
+
+function get_ips(fqdn)
+	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
+	if not r then
+		return ""
+	end
+	local ips = {}
+	local answers, err, tries = r:query(fqdn, nil, {})
+	for ak, av in ipairs(answers) do
+		if av.address then
+			table.insert(ips, av.address)
+		end
+	end
+	return ips
+end
+
+function ip_to_arpa()
+	return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
+end

lua/dnsbl.lua

@@ -0,0 +1,28 @@
+local dns	= require "dns"
+local dnsbls	= {%DNSBL_LIST%}
+local ip	= ngx.var.remote_addr
+
+function cached_ko ()
+	return ngx.shared.dnsbl_cache:get(ip) == "ko"
+end
+
+function cached ()
+	return ngx.shared.dnsbl_cache:get(ip) ~= nil
+end
+
+function check ()
+	local rip = dns.ip_to_arpa()
+	for k, v in ipairs(dnsbls) do
+		local req = rip .. "." .. v
+		local ips = dns.get_ips(req)
+		for k2, v2 in ipairs(ips) do
+			a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
+			if a == "127" then
+				ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
+				return true
+			end
+		end
+	end
+	ngx.shared.dnsbl_cache:set(ip, "ok", 86400)
+	return false
+end

lua/whitelist.lua

@@ -0,0 +1,55 @@
+local dns		= require "dns"
+local ip_list 		= {%WHITELIST_IP_LIST%}
+local reverse_list	= {%WHITELIST_REVERSE_LIST%}
+local ip		= ngx.var.remote_addr
+
+function ip_cached_ok ()
+	return ngx.shared.whitelist_ip_cache:get(ip) == "ok"
+end
+
+function reverse_cached_ok ()
+	return ngx.shared.whitelist_reverse_cache:get(ip) == "ok"
+end
+
+function ip_cached ()
+	return ngx.shared.whitelist_ip_cache:get(ip) ~= nil
+end
+
+function reverse_cached ()
+	return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil
+end
+
+function check_ip ()
+	for k, v in ipairs(ip_list) do
+		if v == ip then
+			ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
+			return true
+		end
+	end
+	ngx.shared.whitelist_ip_cache:set(ip, "ko", 86400)
+	return false
+end
+
+function check_reverse ()
+	local rdns = dns.get_reverse()
+	if rdns ~= "" then
+		local whitelisted = false
+		for k, v in ipairs(reverse_list) do
+			if rdns:sub(-#v) == v then
+				whitelisted = true
+				break
+			end
+		end
+		if whitelisted then
+			local ips = dns.get_ips(rdns)
+			for k, v in ipairs(ips) do
+				if v == ip then
+					ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
+					return true
+				end
+			end
+		end
+	end
+	ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400)
+	return false
+end