阿里云SLB限制ip和CDN限制ip（指定ip的限制），及自动脚本的实现

一、shell总执行脚本

#!/bin/bash

#目前cdn只限制单个域名
#slb限制是所有域名

#限制的ip列表
ban_ip_list=(192.168.1.1
172.16.1.0/24

)

#每分钟限制访问的最大次数,大于等于该数，就封ip10分钟
max_request_num=30
slb_access_log_file=/tmp/slb_access_log.log
slb_api_log_file=/tmp/slb_api.log
ban_ip_file=/tmp/ban_ip_time.txt

python /usr/local/scripts/slb_log.py >${slb_access_log_file}
egrep  "/index.html"  ${slb_access_log_file}  >${slb_api_log_file} #对哪个url进行统计


for ip in ${ban_ip_list[*]};do
    ip_access_num=`egrep "${ip}"  $slb_api_log_file|wc -l`
    if [ ${ip_access_num} -ge ${max_request_num} ];then
        #slb禁ip  
        python  /usr/local/scripts/slb_access_control.py ${ip}
        
    fi
    #删除限制时间到期的ip
    if [ -s ${ban_ip_file} ];then
        date_time=`date +%s`
        for i in `cat /tmp/ban_ip_time.txt`;do 
            if [ `echo $i|awk -F"-"   '{print $2}'` -lt ${date_time} ];then
                 remove_ip=`echo $i|awk -F"-"   '{print $1}'`
                 #删除slb中的限制的ip
                 python   /usr/local/scripts/slb_remove_ip.py ${remove_ip}
                 sed -i "/${i}/d" ${ban_ip_file}
            fi
        done
    fi

done

if [ -s ${ban_ip_file} ];then
    CDN_BAN_IP=`awk -F "-" '{printf $1","}' ${ban_ip_file}`
else
    CDN_BAN_IP=''
fi

#cdn的ip限制与解除限制
python /usr/local/scripts/cdn_ban_ip.py  ${CDN_BAN_IP}

 

二、读取slb访问日志脚本（需要日志服务管理权限） slb_log.py

pip install -U aliyun-log-python-sdk

 

import time
from aliyun.log.logitem import LogItem
from aliyun.log.logclient import LogClient
from aliyun.log.getlogsrequest import GetLogsRequest
from aliyun.log.putlogsrequest import PutLogsRequest
from aliyun.log.listlogstoresrequest import ListLogstoresRequest
from aliyun.log.gethistogramsrequest import GetHistogramsRequest
import re


def main():
    endpoint = 'cn-qingdao.log.aliyuncs.com' #地区
    accessKeyId = 'ACCESSKETID' #ACCESSKETID
    accessKey = 'accessKey' #accessKey
    project = 'project'  #创建的项目名
    logstore = '日志名称' #日志名
    client = LogClient(endpoint, accessKeyId, accessKey)
    req1 = ListLogstoresRequest(project)
    res1 = client.list_logstores(req1)
#    res1.log_print()
    topic = ""
    source = ""
    
    listShardRes = client.list_shards(project, logstore)
    for shard in listShardRes.get_shards_info():
        shard_id = shard["shardID"]
        start_time = int(time.time() - 60)   #一分钟前的slb访问日志
        end_time = start_time + 60
        res = client.get_cursor(project, logstore, shard_id, start_time)
        res.log_print()
        start_cursor = res.get_cursor()
        res = client.get_cursor(project, logstore, shard_id, end_time)
        end_cursor = res.get_cursor()
        res = client.pull_logs(project, logstore, shard_id, start_cursor,1, end_cursor)
        while True:
            loggroup_count = 1
            res = client.pull_logs(project, logstore, shard_id, start_cursor, loggroup_count, end_cursor)
            log = res.log_print()
            next_cursor = res.get_next_cursor()
            if next_cursor == start_cursor:
                break
            start_cursor = next_cursor

if __name__ == "__main__":
    main()

 

 

三、slb限制ip的脚本（slb_access_control.py ）

pip install  aliyun-python-sdk-slb

#!/usr/bin/python
from aliyunsdkcore import client
from aliyunsdkslb.request.v20140515 import AddAccessControlListEntryRequest
import time
import sys


BAN_IP = sys.argv[1]
BAN_FILE = r'/tmp/ban_ip_time.txt'


AccessKeyId = 'AccessKeyId' #AccessKeyId
AccessKeySecret = 'AccessKeySecret' #AccessKeySecret
Endpoint = 'cn-qingdao'  #地区
client = client.AcsClient(AccessKeyId,AccessKeySecret,Endpoint)

request = AddAccessControlListEntryRequest.AddAccessControlListEntryRequest()
request.set_accept_format('json')
comment_str = "%s-"%BAN_IP+str(int(time.time())+600)
with open(BAN_FILE,'a') as f:
    f.write(comment_str)
    f.write('\n')
AclEntrys = [{"entry":"%s/32"%BAN_IP,"comment":comment_str}]
request.set_AclEntrys(AclEntrys)
request.set_AclId('acl-m5evxzrxlhiv86azkrret')

response = client.do_action_with_exception(request)
print(response)

 

四、删除slb中的限制的ip的脚本 （slb_remove_ip.py）

#!/usr/bin/python
from aliyunsdkcore import client
from aliyunsdkslb.request.v20140515 import RemoveAccessControlListEntryRequest
import time
import sys

REMOVE_IP = sys.argv[1]
AccessKeyId = 'AccessKeyId' #AccessKeyId
AccessKeySecret = 'AccessKeySecret' #AccessKeySecret
Endpoint = 'cn-qingdao' #地区
client = client.AcsClient(AccessKeyId,AccessKeySecret,Endpoint)

request = RemoveAccessControlListEntryRequest.RemoveAccessControlListEntryRequest()
request.set_accept_format('json')
AclEntrys = [{"entry":"%s/32"%REMOVE_IP,"comment":"privaterule1"}]
request.set_AclEntrys(AclEntrys)
request.set_AclId('acl-m5evxzrxlhiv86azkrret')
response = client.do_action_with_exception(request)
print(response)

 

五、cdn限制脚本（cdn_ban_ip.py）

pip install aliyun-python-sdk-cdn

#!/usr/bin/python
from aliyunsdkcore import client
from aliyunsdkcdn.request.v20141111 import SetIpBlackListConfigRequest
import sys

try:
    BAN_IP = sys.argv[1]
except Exception as e:
    BAN_IP= ''

AccessKeyId = 'AccessKeyId' #AccessKeyId
AccessKeySecret = 'AccessKeySecret' #AccessKeySecret
Endpoint = 'cn-qingdao' #地区

DomainName = 'www.baidu.com' #cdn限制访问的域名
client = client.AcsClient(AccessKeyId,AccessKeySecret,Endpoint)

request = SetIpBlackListConfigRequest.SetIpBlackListConfigRequest()
request.set_BlockIps(BAN_IP)
request.set_DomainName(DomainName)
response = client.do_action_with_exception(request)