使用OpenResty(Nginx)和lua实现基本认证和授权
OpenResty是什么?
OpenResty是一个基于Nginx并搭载了LuaJIT的Web服务器,可以使用Lua的库等。
环境
-
- Ubuntu 20.04
-
- Docker version 20.10.14
-
- Docker Compose version v2.4.1
- nginx version: openresty/1.21.4.1
为什么不使用Nginx?
我想要做的事情是实现基本认证和授权。Nginx本身可以很容易地实现认证功能,但是授权机制却有些麻烦。
通过使用OpenResty,可以从Lua中访问Nginx的变量。如果能够获取已登录用户的用户名等信息,则可以在Lua脚本中的授权逻辑中判断是否允许该用户。
验证来源
目录结构
原文:ソースの配置は以下を想定しています。
中文翻译:源文件的布置按照以下进行设想。
.
├── docker-compose.yaml
└── nginx
├── conf.d
│ └── default.conf
├── lua
│ └── auth.lua
└── nginx.conf
Docker Compose(中文:Docker组合)
version: "3"
services:
openresty:
image: openresty/openresty:latest
hostname: openresty
container_name: openresty
volumes:
- ./nginx/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf
- ./nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf
- ./nginx/lua/auth.lua:/etc/nginx/lua/auth.lua
- ./nginx/.htpasswd:/etc/nginx/.htpasswd
ports:
- "80:80"
restart: always
打开 OpenResty 的配置
nginx.conf 沒有做任何更改,保持預設狀態。
# nginx.conf -- docker-openresty
#
# This file is installed to:
# `/usr/local/openresty/nginx/conf/nginx.conf`
# and is the file loaded by nginx at startup,
# unless the user specifies otherwise.
#
# It tracks the upstream OpenResty's `nginx.conf`, but removes the `server`
# section and adds this directive:
# `include /etc/nginx/conf.d/*.conf;`
#
# The `docker-openresty` file `nginx.vh.default.conf` is copied to
# `/etc/nginx/conf.d/default.conf`. It contains the `server section
# of the upstream `nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#
#user nobody;
#worker_processes 1;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# Enables or disables the use of underscores in client request header fields.
# When the use of underscores is disabled, request header fields whose names contain underscores are marked as invalid and become subject to the ignore_invalid_headers directive.
# underscores_in_headers off;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
# Log in JSON Format
# log_format nginxlog_json escape=json '{ "timestamp": "$time_iso8601", '
# '"remote_addr": "$remote_addr", '
# '"body_bytes_sent": $body_bytes_sent, '
# '"request_time": $request_time, '
# '"response_status": $status, '
# '"request": "$request", '
# '"request_method": "$request_method", '
# '"host": "$host",'
# '"upstream_addr": "$upstream_addr",'
# '"http_x_forwarded_for": "$http_x_forwarded_for",'
# '"http_referrer": "$http_referer", '
# '"http_user_agent": "$http_user_agent", '
# '"http_version": "$server_protocol", '
# '"nginx_access": true }';
# access_log /dev/stdout nginxlog_json;
# See Move default writable paths to a dedicated directory (#119)
# https://github.com/openresty/docker-openresty/issues/119
client_body_temp_path /var/run/openresty/nginx-client-body;
proxy_temp_path /var/run/openresty/nginx-proxy;
fastcgi_temp_path /var/run/openresty/nginx-fastcgi;
uwsgi_temp_path /var/run/openresty/nginx-uwsgi;
scgi_temp_path /var/run/openresty/nginx-scgi;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
# Don't reveal OpenResty version to clients.
# server_tokens off;
}
我正在添加基本认证的设置和lua脚本的设置。
# nginx.vh.default.conf -- docker-openresty
#
# This file is installed to:
# `/etc/nginx/conf.d/default.conf`
#
# It tracks the `server` section of the upstream OpenResty's `nginx.conf`.
#
# This config (and any other configs in `etc/nginx/conf.d/`) is loaded by
# default by the `include` directive in `/usr/local/openresty/nginx/conf/nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/local/openresty/nginx/html;
index index.html index.htm;
+ auth_basic "basic auth";
+ auth_basic_user_file /etc/nginx/.htpasswd;
+ access_by_lua_file /etc/nginx/lua/auth.lua;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/openresty/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root /usr/local/openresty/nginx/html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
以下是基本认证的设置。我们将用户和密码的信息存储在容器中的 /etc/nginx/.htpasswd 文件中。
auth_basic "basic auth";
auth_basic_user_file /etc/nginx/.htpasswd;
本次我们准备了两个用户,一个是管理员,另一个是测试用户。他们的密码分别是admin和test。
admin:$apr1$83K7MhNj$OTxCQTTH8eCkfLY94DdG41
test:$apr1$0jX4sM1.$wgnHDKX3u2dyALc7.uEYF/
顺便说一下,生成密码时请执行以下命令。我参考了这篇文章。
如果想保存第二个及之后的用户,应该在执行htpasswd命令时不使用-c选项,因为-c选项用于新建文件。
htpasswd -c ./nginx/.htpasswd admin
htpasswd ./nginx/.htpasswd test
如果没有安装htpasswd命令,可以按以下步骤进行安装。
apt-get -y install apache2-utils
Lua脚本(授权使用)
default.conf中的以下设置定义了用于授权的Lua脚本。
access_by_lua_file /etc/nginx/lua/auth.lua;
-- remote user名を取得
local remote_user = ngx.var.remote_user
if remote_user ~= "admin" then
-- adminユーザーでなければ403
ngx.header.content_type = "text/plain"
ngx.log(ngx.STDERR, remote_user.." にはアクセス権がありません")
ngx.status = ngx.HTTP_FORBIDDEN
return ngx.exit(403)
end
ngx.var.remote_user
ngx.var.XXXでNginxの変数にアクセスできます。remote_userにはユーザー名が入っています。
如果remote_user不是admin用户,则无法通过403访问。在这种情况下,admin用户可以访问OpenResty的默认页面,但test用户不能访问。
启动容器
docker-compose up -d
确认访问
- http://localhost/
如果要使用管理员用户登录的话。
将显示OpenResty的默认页面。
如果使用测试用户登录
显示403。
查看OpenResty的日志
docker logs openresty
可以确认测试用户遭遇了403错误。
2023/03/19 09:08:50 [] 7#7: *2 [lua] auth.lua:7: test にはアクセス権がありません, client: 172.24.0.1, server: localhost, request: "GET / HTTP/1.1", host: "localhost"
172.24.0.1 - test [19/Mar/2023:09:08:50 +0000] "GET / HTTP/1.1" 403 561 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.44"
常用的OpenResty命令
检查配置文件是否有效(-t)。
docker exec -it openresty bash -c 'openresty -t'
以下是执行结果的示例。
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
通过使用“-s reload”命令,重新加载OpenResty。
docker exec -it openresty bash -c 'openresty -s reload'
执行结果的例子。
2023/03/19 09:16:43 [notice] 15#15: signal process started
总结
通过使用OpenResty,我们成功地实现了在基本认证系统中添加授权机制。如果我们再对Lua脚本进行一些改进,我们就可以实现更复杂的认证和授权机制。
我在以下文章中尝试了使用Ldap认证进行类似操作。
- OpenResty(Nginx)+Lua+OpenLDAP+ngx_auth_modでLdap認証と認可を実装する
请语言为中文的母语者来重述以下内容,仅需要提供一个选项:
请参考
-
- openresty/lua-nginx-module
- 逆引きlua-nginx-module
