How to Build a Dynamic IP Blacklist with Nginx, Lua, and Redis

Background

To block certain crawlers or malicious users from accessing the server, we need to build a dynamic IP blacklist. Requests from IPs on the blacklist are denied.

Architecture

There are several ways to implement an IP blacklist:

Configure iptables at the operating system level to reject traffic from specific IPs.

Use Nginx's deny directive or a Lua plugin at the web server level.

Check the client IP in the application layer before processing the request.

For easy management and sharing, we choose an Nginx + Lua + Redis architecture.

Implementation

Install Nginx with Lua support. Using OpenResty is recommended because it bundles many useful Lua modules.

Install and start a Redis server.

Configure Nginx with the following snippets: lua_shared_dict ip_blacklist 1m; This allocates a 1 MB shared memory zone for caching the IP blacklist. access_by_lua_file lua/ip_blacklist.lua; This tells Nginx to run the specified Lua script for each request.

Write a Lua script that periodically fetches the latest blacklist from Redis.

Create a Redis Set named ip_blacklist and populate it with the IPs to block.

After completing these steps, reload Nginx. Requests from IPs present in the Redis set will be denied, as shown below:

Conclusion

The Nginx + Lua + Redis solution for an IP blacklist offers several advantages:

Simple, lightweight configuration with negligible performance impact.

Multiple servers can share the same blacklist via a central Redis instance.

Dynamic updates are possible manually or through automation.