Multiple access_by_lua?
39 views
Skip to first unread message
Zaar Hai
May 9, 2019, 10:19:45 PM5/9/19
to openresty-en
Good day guys,
I designing new API where I would like to perform two-stage authorization:
server {
listen 8000;
access_by_lua_block {
-- First stage authz for everybody
}
location /foo {
# No additional access verification
proxy_pass ...
}
location /bar {
access_by_lua_block {
-- Second stage authz just for this location
}
proxy_pass ...
}
}
However I discovered that only one access_by_lua_block will run per request (or so it seems) - if I access /foo then "First stage" will run as expected, however if I access /bar then only "Second stage" runs.
Is this by design? Is there a way to chain them? Or call outer access_by_lua_block from the inner one?
Thank you,
Zaar
Thibault Charbonnier
May 9, 2019, 10:42:53 PM5/9/19
to openre...@googlegroups.com
Hi,
This is not possible. Only one *_by_lua_block of each type (rewrite,
access, etc...) will be executed for each request. This is by design.
You have to handle such cases in your own Lua business logic. There are
**numerous** threads both in this email list and on the ngx_lua
repository issues[1] discussing this topic.
Best,
Thibault
[1]: https://github.com/openresty/lua-nginx-module
On 5/9/19 7:19 PM, Zaar Hai wrote:
> Good day guys,
>
> I designing new API where I would like to perform two-stage authorization:
>
> server {
> listen 8000;
>
> access_by_lua_block {
> -- First stage authz for everybody
> }
>
> location /foo {
> # No additional access verification
> proxy_pass ...
> }
>
> location /bar {
> access_by_lua_block {
> -- Second stage authz just for this location
> }
> proxy_pass ...
> }
> }
>
> However I discovered that only one access_by_lua_block will run per
> request (or so it seems) - if I access /foo then "First stage" will run
> as expected, however if I access /bar then *only* "Second stage" runs.
> You received this message because you are subscribed to the Google
> Groups "openresty-en" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to openresty-en...@googlegroups.com
> <mailto:openresty-en...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/openresty-en/b62fb8b9-425e-4fce-bbaf-3f46d447dd25%40googlegroups.com
> <https://groups.google.com/d/msgid/openresty-en/b62fb8b9-425e-4fce-bbaf-3f46d447dd25%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
This is not possible. Only one *_by_lua_block of each type (rewrite,
access, etc...) will be executed for each request. This is by design.
You have to handle such cases in your own Lua business logic. There are
**numerous** threads both in this email list and on the ngx_lua
repository issues[1] discussing this topic.
Best,
Thibault
[1]: https://github.com/openresty/lua-nginx-module
On 5/9/19 7:19 PM, Zaar Hai wrote:
> Good day guys,
>
> I designing new API where I would like to perform two-stage authorization:
>
> server {
> listen 8000;
>
> access_by_lua_block {
> -- First stage authz for everybody
> }
>
> location /foo {
> # No additional access verification
> proxy_pass ...
> }
>
> location /bar {
> access_by_lua_block {
> -- Second stage authz just for this location
> }
> proxy_pass ...
> }
> }
>
> However I discovered that only one access_by_lua_block will run per
> request (or so it seems) - if I access /foo then "First stage" will run
> Is this by design? Is there a way to chain them? Or call outer
> access_by_lua_block from the inner one?
>
> Thank you,
> Zaar
>
> --
> access_by_lua_block from the inner one?
>
> Thank you,
> Zaar
>
> You received this message because you are subscribed to the Google
> Groups "openresty-en" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to openresty-en...@googlegroups.com
> <mailto:openresty-en...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/openresty-en/b62fb8b9-425e-4fce-bbaf-3f46d447dd25%40googlegroups.com
> <https://groups.google.com/d/msgid/openresty-en/b62fb8b9-425e-4fce-bbaf-3f46d447dd25%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Zaar Hai
May 10, 2019, 12:16:12 AM5/10/19
to openresty-en
Hi Thibault,
Thanks for the info.
It makes sense it was discussed before, but googling for "access_by_lua chain" and "access_by_lua multiple" didn't yield any fruit - listing those keywords here on purpose in hopes it will help others.
> an email to openre...@googlegroups.com
> <mailto:openresty-en+unsub...@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages