Implementing a Dynamic IP Blacklist with Nginx, Lua, and Redis

Background – To block crawlers or malicious users, a dynamic IP blacklist is needed so that requests from blacklisted IPs are denied.

Architecture – Several approaches exist (iptables, Nginx deny rules, application‑level checks). The chosen solution combines Nginx, Lua, and Redis, allowing centralized management and sharing of the blacklist across multiple servers.

Implementation steps

Install Nginx with Lua support, preferably using OpenResty.

Install and start a Redis server.

Configure Nginx with the necessary directives.

Write a Lua script that periodically fetches the latest blacklist from Redis.

Create a Redis Set named ip_blacklist and populate it with the IPs to block.

Nginx configuration

Define a shared memory zone for the blacklist:

lua_shared_dict ip_blacklist 1m;

Specify the Lua script to run on each request:

access_by_lua_file lua/ip_blacklist.lua;

The shared memory caches the blacklist, and the Lua script checks the client IP against the Redis set before allowing access.

After reloading Nginx, any request from an IP present in the blacklist will be rejected, as shown in the example screenshots.

Conclusion

Simple and lightweight configuration with minimal performance impact.

Multiple servers can share the same blacklist via Redis.

Dynamic updates are possible manually or through automation by modifying the Redis set.