nginx lua模块淘宝开发的nginx第三方模块,它能将lua语言嵌入到nginx配置中,从而使用lua就极大增强了nginx的能力.

准备

http://www.nginx.org nginx 1.8.0 http://luajit.org/download.html LuaJIT-2.0.4

cd /tmp
wget http://nginx.org/download/nginx-1.8.0.tar.gz
wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
git clone https://github.com/openresty/lua-nginx-module.git lua-nginx-module
git clone https://github.com/loveshell/ngx_lua_waf.git waf

开始编译

编译LuaJIT

tar xf ..
cd ..
make && make install

# lib 
ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0

nginx

tar xf ..
cd ..

./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx/nginx.pid --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/tmp/nginx/client --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fcgi --with-http_stub_status_module --with-http_sub_module --with-http_spdy_module --add-module=/tmp/lua-nginx-module

make && make install

ngx_lua_waf

下面可以使用ngx_lua_waf来做一些安全设置了,具体方法可以参考

https://github.com/loveshell/ngx_lua_waf.git

http块配置文件

include vhost/*.conf;
include blocksip.conf;
lua_need_request_body on;
lua_package_path "/etc/nginx/vhost/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /etc/nginx/vhost/waf/init.lua;
access_by_lua_file /etc/nginx/vhost/waf/waf.lua;

补充

老高在操作的时候突然遇到502,经过错误日志查询,原来是因为post请求过大,导致多余的内容被写入temp文件中,而Lua不支持从文件中获取请求数据,所以导致报错。

requesty body in temp file not supported

解决办法很简单:

在http块加入以下代码即可

client_max_body_size 1m;    #允许客户端请求的最大单文件字节数
client_body_buffer_size 128k;  #缓冲区代理缓冲用户端请求的最大字节数

下面是老高的nginx配置备份

user  nginx;
worker_processes  auto;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    use epoll;
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    server_tokens   off;
    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;
    reset_timedout_connection on;

    #ip limit
    limit_conn_zone $binary_remote_addr zone=perip:10m;
    limit_conn_zone $server_name zone=perserver:10m;

    gzip  on;
    #gzip_min_length 1k;
    gzip_min_length 0;
    gzip_buffers 4 16k;
    gzip_comp_level 3;
    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png application/vnd.ms-fontobject application/x-font-ttf image/svg+xml;
    gzip_vary off;
    gzip_disable "MSIE [1-6]\.";

    add_header X-Cache-CFC "$upstream_cache_status - $upstream_response_time";
    fastcgi_temp_path /data/nginx/tmp_cache;
    fastcgi_cache_path /data/nginx/cache levels=1:2 keys_zone=phpgao:50m inactive=10m max_size=2m;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;
    client_max_body_size 1m;    #允许客户端请求的最大单文件字节数
    client_body_buffer_size 128k;  #缓冲区代理缓冲用户端请求的最大字节数,

    server{
        listen 80 default;
        return 500;
    }

    include vhost/*.conf;
    include blocksip.conf;

    # 开启lua
    lua_need_request_body on;
    lua_package_path "/etc/nginx/vhost/waf/?.lua";
    lua_shared_dict limit 10m;
    init_by_lua_file  /etc/nginx/vhost/waf/init.lua;
    access_by_lua_file /etc/nginx/vhost/waf/waf.lua;
}