How to Build a Dynamic IP Blacklist with Nginx, Lua, and Redis

Background

To block certain crawlers or malicious users, a dynamic IP blacklist is needed that denies service to any IP listed.

Architecture

IP blacklist can be implemented at the OS level with iptables, at the Nginx level using deny directives or Lua plugins, or at the application layer by checking client IPs. This article adopts an Nginx + Lua + Redis architecture, illustrated below.

Implementation

1. Install Nginx with Lua modules; OpenResty is recommended as it bundles many Lua extensions.

2. Install and start a Redis server.

3. Configure Nginx (example shown).

4. Define a shared memory zone for the blacklist: lua_shared_dict ip_blacklist 1m; 5. Load the Lua script that periodically fetches the latest blacklist from Redis: access_by_lua_file lua/ip_blacklist.lua; 6. In Redis, create a Set named ip_blacklist and populate it with the blocked IPs.

After completing these steps, reload Nginx. Requests from IPs present in the blacklist will be denied, as shown below.

Summary

The Nginx + Lua + Redis IP blacklist is simple to configure, lightweight with negligible performance impact, shareable across multiple servers via Redis, and supports dynamic updates either manually or through automation.