第一篇:Web服务器(Nginx)控制用户访问频率的解决方案(大全)
Web服务器(Nginx)控制用户访问频率的解决方案
Nginx来处理访问控制的方法有多种,实现的效果也有多种,访问IP段,访问内容限制,访问频率限制等。用Nginx+Lua+Redis来做访问限制主要是考虑到高并发环境下快速访问控制的需求。Nginx处理请求的过程一共划分为11个阶段,分别是:
post-read、server-rewrite、find-config、rewrite、post-rewrite、preaccess、access、post-access、try-files、content、log.在openresty中,可以找到:
set_by_lua,access_by_lua,content_by_lua,rewrite_by_lua等方法。那么访问控制应该是,access阶段。
1.解决思路
按照正常的逻辑思维,我们会想到的访问控制方案如下: 1.检测是否被forbidden?
=》是,forbidden是否到期:是,清除记录,返回200,正常访问;否,返回403; =》否,返回200,正常访问
2.每次访问,访问用户的访问频率+1处理
3.检测访问频率是否超过限制,超过即添加forbidden记录,返回403 这是简单地方案,还可以添加点枝枝叶叶,访问禁止时间通过算法导入,每次凹曲线增加。
2.Config 首先为nginx添加vhost配置文件,vhost.conf部分内容如下: 2 3 4 lua_package_path “/usr/local/openresty/lualib/?.lua;;”;#告诉openresty库地址 lua_package_cpath “/usr/local/openresty/lualib/?.so;;”;5 6 7 8 9 10 11 12 13 14 error_log /usr/local/openresty/nginx/logs/openresty.debug.log debug;
server { listen 8080 default;server_namelocalhost;root /www.xiexiebang.com的做法,redis存储方案只做简单地string存储就足够了。key分别是: 用户登录记录:user:127.0.0.1:time(unix时间戳)访问限制:block:127.0.0.1 先连接Redis吧:
local red = redis:new()1 2 3 4 5 6 7 8 functionM:redis()red:set_timeout(1000)local ok, err = red:connect(“127.0.0.1”, 6379)if not ok then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)end end 按照我们的逻辑方案,第二步是,检测是否forbidden,下面我们就检测block:127.0.0.1,如果搜索到数据,检测时间是否过期,未过期返回403,否则直接返回200:
function M:check1()1 2 3 4 5 6 7 8 9 10 11 12 13 local time=os.time()--system time local res, err = red:get(“block:”..ngx.var.remote_addr)if not res then--redis error
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)--redis get data error end
if type(res)== “string” then--if red not null then type(red)==string
iftonumber(res)>= tonumber(time)then--check if forbidden expired
ngx.exit(ngx.HTTP_FORBIDDEN)
--ngx.say(“forbidden”)
end end } 接下来会做检测,是否访问频率过高,如果过高,要拉到黑名单的,实现的方法是,检测user:127.0.0.1:time的值是否超标: 2 3 4 5 6 7 8 9 10 11 12 13 function M:check2()local time=os.time()--system time local res, err = red:get(“user:”..ngx.var.remote_addr..“:”..time)if not res then--redis error
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)--redis get data error end 14 15
if type(res)== “string” then
iftonumber(res)>= 10 then--attack, 10 times request/s
red:del(“block:”..self.ip)
red:set(“block:”..self.ip, tonumber(time)+5*60)--set block time
ngx.exit(ngx.HTTP_FORBIDDEN)
end end end 最后呢,还要记得,把每次访问时间做一个自增长,user:127.0.0.1:time: 2 3 4 5 functionM:add()local time=os.time()--system time 6 7 ok, err = red:incr(“user:”..ngx.var.remote_addr..“:”..time)if not ok then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)--redis get data error end end 那么,测试,强刷几次浏览器,发现过一会,返回了403,ok,搞定。
第二篇:45-基于SSID的Web界面访问控制典型配置举例
基于SSID的Web界面访问控制典型配置举例
Copyright © 2014 杭州华三通信技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。
目 录 简介 ······························································································································· 1 2 配置前提 ························································································································· 1 3 配置举例 ························································································································· 1
3.1 组网需求 ······················································································································ 1 3.2 配置思路 ······················································································································ 1 3.3 配置注意事项 ················································································································ 1 3.4 配置步骤 ······················································································································ 2
3.4.1 AC的配置 ··········································································································· 2 3.4.2 Switch的配置 ······································································································ 4 3.5 验证配置 ······················································································································ 4 3.6 配置文件 ······················································································································ 6 相关资料 ························································································································· 7
i 1 简介
本文档介绍基于SSID的Web界面访问控制的典型配置举例。配置前提
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解WLAN接入,WLAN ACL和HTTP特性。配置举例
3.1 组网需求
如图1所示,AC通过Switch与AP相连,DHCP服务器为AP和Client分配IP地址。需要控制不同SSID接入的无线客户端通过Web页面对AC的访问权限,具体实现如下:
当Client通过名为“service2”的SSID接入无线网络时,可以通过Web访问AC。而当Client通过名为“service1”的SSID接入时,不能通过Web访问AC。
图1 基于SSID的Web界面访问控制组网图
DHCP serverGE1/0/3Vlan-int100192.168.1.1/24Vlan-int300192.168.3.1/24GE1/0/1GE1/0/2ACSwitchAPClient
3.2 配置思路
为了使关联SSID为service2的Client能够通过Web访问AC,需要在AC上配置WLAN ACL,仅允许关联SSID为service2的Client报文通过,并将HTTP服务与WLAN ACL相关联。
3.3 配置注意事项
WLAN ACL中有默认规则rule 0 deny,需要执行undo rule 0命令删除该默认规则。 配置AP的序列号时请确保该序列号与AP唯一对应,AP的序列号可以通过AP设备背面的标签获取。
3.4 配置步骤
3.4.1 AC的配置
(1)配置AC接口
# 创建VLAN 100及其对应的VLAN接口,并为该接口配置IP地址。AC将使用该接口的IP地址与AP建立LWAPP隧道。
[AC] vlan 200 [AC-vlan200] quit # 创建VLAN 300作为Client接入的业务VLAN,配置VLAN 300的接口IP地址。
[AC] vlan 300 [AC-vlan300] quit [AC] interface vlan-interface 300 [AC-Vlan-interface300] ip address 192.168.3.1 24 [AC-Vlan-interface300] quit # 配置GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 300通过,配置PVID为100。
[AC] interface gigabitethernet 1/0/1 [AC-GigabitEthernet1/0/1] port link-type trunk [AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [AC-GigabitEthernet1/0/1] port trunk permit vlan 100 300 [AC-GigabitEthernet1/0/1] port trunk pvid vlan 100 [AC-GigabitEthernet1/0/1] quit # 创建WLAN-ESS1接口,并设置端口的链路类型为Hybrid类型。
[AC] interface wlan-ess 1 [AC-WLAN-ESS1] port link-type hybrid # 配置当前Hybrid端口的PVID为VLAN 200,禁止VLAN 1通过并允许VLAN 200不带tag通过。
[AC-WLAN-ESS1] undo port hybrid vlan 1 [AC-WLAN-ESS1] port hybrid vlan 200 untagged [AC-WLAN-ESS1] port hybrid pvid vlan 200 # 使能MAC VLAN功能。
[AC-WLAN-ESS1] mac-vlan enable [AC-WLAN-ESS1] quit # 创建WLAN-ESS2接口,并设置端口的链路类型为Hybrid类型。[AC] interface wlan-ess 2 [AC-WLAN-ESS2] port link-type hybrid # 配置当前Hybrid端口的PVID为VLAN 200,禁止VLAN 1通过并允许VLAN 200不带tag通过。
[AC-WLAN-ESS2] undo port hybrid vlan 1 [AC-WLAN-ESS2] port hybrid vlan 200 untagged [AC-WLAN-ESS2] port hybrid pvid vlan 200 # 使能MAC VLAN功能。
[AC-WLAN-ESS2] mac-vlan enable [AC-WLAN-ESS2] quit(2)配置无线服务
# 创建clear类型的服务模板1。
[AC] wlan service-template 1 clear # 设置当前服务模板的SSID为service1。
[AC-wlan-st-1] ssid service1 # 将WLAN-ESS1接口绑定到服务模板1。
[AC-wlan-st-1] bind wlan-ess 1 # 启用无线服务。
[AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # 创建clear类型的服务模板2。
[AC] wlan service-template 2 clear # 设置当前服务模板的SSID为service2。
[AC-wlan-st-2] ssid service2 # 将WLAN-ESS2接口绑定到服务模板2。
[AC-wlan-st-2] bind wlan-ess 2 # 启用无线服务。
[AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit(3)配置射频接口并绑定服务模板
# 创建AP的管理模板,名称为officeap,型号选择WA2620E-AGN。
[AC] wlan ap officeap model WA2620E-AGN # 设置AP的序列号为210235A29G007C000020。
[AC-wlan-ap-officeap] serial-id 210235A29G007C000020 # 进入radio 2射频视图。
[AC-wlan-ap-officeap] radio 2 # 将在AC上配置的clear类型的服务模板1和服务模板2与射频2进行关联,设置绑定到射频接口的VLAN编号为VLAN 300。
[AC-wlan-ap-officeap-radio-2] service-template 1 vlan-id 300 [AC-wlan-ap-officeap-radio-2] service-template 2 vlan-id 300 # 使能AP的radio 2。
[AC-wlan-ap-officeap-radio-2] radio enable [AC-wlan-ap-officeap-radio-2] quit(4)配置WLAN ACL # 创建WLAN ACL 199,并删除ACL 199中的默认规则0。
[AC] acl number 199 [AC-acl-wlan-199] undo rule 0 # 配置规则1:允许SSID名称为service2的WLAN用户报文通过。
[AC-acl-wlan-199] rule 1 permit ssid service2 [AC-acl-wlan-199] quit # 将HTTP服务与ACL 199关联。
[AC] ip http acl 199 3.4.2 Switch的配置
# 创建VLAN 100和VLAN 300,其中VLAN 100用于转发AC和AP间LWAPP隧道内的流量,VLAN 300为无线客户端接入的VLAN。
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 300 [Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100 [Switch-GigabitEthernet1/0/1] quit # 配置Switch与AP相连的GigabitEthernet1/0/2接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type access [Switch-GigabitEthernet1/0/2] port access vlan 100 # 配置Switch与AP相连的GigabitEthernet1/0/2接口使能PoE功能。
[Switch-GigabitEthernet1/0/2] poe enable [Switch-GigabitEthernet1/0/2] quit # 配置Switch与DHCP服务器相连的GigabitEthernet1/0/3接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] port link-type access [Switch-GigabitEthernet1/0/3] port access vlan 100 [Switch-GigabitEthernet1/0/3] quit 3.5 验证配置
# 无线客户端关联SSID service2后,可以通过Web正常访问AC。
# 无线客户端关联SSID service1后,无法通过Web访问AC。3.6 配置文件
AC:
# ip http acl 199 # acl number 199 rule 1 permit ssid service2 # vlan 100 # vlan 200 # vlan 300 # wlan service-template 1 clear ssid service1 bind WLAN-ESS 1 service-template enable # wlan service-template 2 clear ssid service2 bind WLAN-ESS 2 service-template enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 300 undo port trunk permit vlan 1 port trunk pvid vlan 100 # interface Vlan-interface100 ip address 192.168.1.1 255.255.255.0 # interface Vlan-interface300 ip address 192.168.3.1 255.255.255.0 # interface WLAN-ESS1 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # interface WLAN-ESS2 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # wlan ap officeap model WA2620E-AGN id 1 serial-id 210235A29G007C000020 radio 1 radio 2 service-template 1 vlan-id 300 service-template 2 vlan-id 300 radio enable #
# Switch:
vlan 100 # vlan 300 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 300 undo port trunk permit vlan 1 port trunk pvid vlan 100 # interface GigabitEthernet1/0/2 port link-type access port access vlan 100 poe enable # interface GigabitEthernet1/0/3 port link-type access port access vlan 100 # 4 相关资料
《H3C WX系列无线控制器产品配置指导》“基础配置指导”。《H3C WX系列无线控制器产品命令参考》“基础配置命令参考”。《H3C WX系列无线控制器产品配置指导》“ACL和QoS配置指导”。《H3C WX系列无线控制器产品命令参考》“ACL和QoS命令参考”。《H3C WX系列无线控制器产品配置指导》“WLAN配置指导”。《H3C WX系列无线控制器产品命令参考》“WLAN命令参考”。
点击咨询 