Which directive I can run before ssl_certificate_by_lua_block to get user-agent information in openresty
282 views
Skip to first unread message
hussain nagri
Jun 14, 2022, 12:15:28 AM6/14/22
to openresty-en
Hello fellow OpenResty users,
I am using OpenResty to generate SSL certificates dynamically.
I am trying to find out the user-agent of a request before running ssl_certificate_by_lua_block and decide If I want to continue with the request or not.
I found out that ssl_client_hello_by_lua_block directive runs before ssl_certificate_by_lua_block but if I try to execute ngx.req.get_headers()["user-agent"] inside ssl_client_hello_by_lua_block I get the following error;
- 2022/06/13 09:20:58 [error] 31918#31918: *18 lua entry thread aborted: runtime error: ssl_client_hello_by_lua:6: API disabled in the current context stack traceback: coroutine 0: [C]: in function 'error' /usr/local/openresty/lualib/resty/core/request.lua:140: in function 'get_headers' ssl_client_hello_by_lua:6: in main chunk, context: ssl_client_hello_by_lua*, client: 1.2.3.4, server: 0.0.0.0:443
I tried rewrite_by_lua_block but it runs after ssl_certificate_by_lua_block
Are there any directive that can let me access ngx.req.get_headers()["user-agent"] and run before ssl_certificate_by_lua_block as well?
Is this even possible to do?
I have asked this question on stack-overflow as well - https://stackoverflow.com/questions/72600559/which-directive-i-can-run-before-ssl-certificate-by-lua-block-to-get-user-agent
I have asked this question on stack-overflow as well - https://stackoverflow.com/questions/72600559/which-directive-i-can-run-before-ssl-certificate-by-lua-block-to-get-user-agent
reflection_probe
Jun 14, 2022, 12:16:53 AM6/14/22
to openre...@googlegroups.com
ssl_certificate_by_lua runs before a connection is established. the
user-agent hasn't even been sent yet. only thing you can do is get the
IP address.
user-agent hasn't even been sent yet. only thing you can do is get the
IP address.
hussain nagri
Jun 14, 2022, 2:44:15 AM6/14/22
to openresty-en
Yes, stupid of me. Forgot about that. Thank you.
Now, since I cannot stop the SSL handshake and hence the certificate generation in the process, is rewrite_by_lua_block the best place to filter by ngx.req.get_headers()["user-agent"] or would you recommend some other directive?
Now, since I cannot stop the SSL handshake and hence the certificate generation in the process, is rewrite_by_lua_block the best place to filter by ngx.req.get_headers()["user-agent"] or would you recommend some other directive?
reflection_probe
Jun 14, 2022, 2:46:43 AM6/14/22
to openre...@googlegroups.com
put your bot defenses or ratelimits in access_by_lua_*
hussain nagri
Jun 14, 2022, 3:14:49 AM6/14/22
to openresty-en
Thank you.
Just a doubt I have, since rewrite_by_lua executes before access_by_lua, wouldn't it be good if we drop the bots before more processing happen? Or is there some nuance that I don't know about access_by_lua?
Just a doubt I have, since rewrite_by_lua executes before access_by_lua, wouldn't it be good if we drop the bots before more processing happen? Or is there some nuance that I don't know about access_by_lua?
reflection_probe
Jun 14, 2022, 3:19:50 AM6/14/22
to openre...@googlegroups.com
all the processing has already happened by the time even rewrite_by_lua
executes. you've already accepted the connection, already performed your
ssl handshake, etc etc.
nginx is extremely fast. it's one of the fastest http servers around.
you can run it on a raspberry pi and still serve thousands of requests
per second. you should not be concerned about performance issues
accepting connections because there is absolutely nothing you can do
about that except for getting a more powerful server, or using a mitm
proxy like cloudflare.
what you should be concerned about is semantic api abuse by bots and bad
actors. think about stuff like automated signups or comments. you don't
want people abusing these, so that's where you want your protections.
aka, you want them in the application layer. (which is where lua executes)
executes. you've already accepted the connection, already performed your
ssl handshake, etc etc.
nginx is extremely fast. it's one of the fastest http servers around.
you can run it on a raspberry pi and still serve thousands of requests
per second. you should not be concerned about performance issues
accepting connections because there is absolutely nothing you can do
about that except for getting a more powerful server, or using a mitm
proxy like cloudflare.
what you should be concerned about is semantic api abuse by bots and bad
actors. think about stuff like automated signups or comments. you don't
want people abusing these, so that's where you want your protections.
aka, you want them in the application layer. (which is where lua executes)
hussain nagri
Jun 14, 2022, 3:36:49 AM6/14/22
to openresty-en
Got it. Thank you.
Rainer Canavan
Jun 14, 2022, 9:34:52 AM6/14/22
to openre...@googlegroups.com
On Tue, Jun 14, 2022 at 9:14 AM hussain nagri <nagri....@gmail.com> wrote:
>
> Thank you.
> Just a doubt I have, since rewrite_by_lua executes before access_by_lua, wouldn't it be good if we drop the bots before more processing happen? Or is there some nuance that I don't know about access_by_lua?
If you have determined that certain IP addresses only produce bad
>
> Thank you.
> Just a doubt I have, since rewrite_by_lua executes before access_by_lua, wouldn't it be good if we drop the bots before more processing happen? Or is there some nuance that I don't know about access_by_lua?
traffic that you want to reject, and you don't even care about
returning an HTML error page, you can abort the SSL handshake in
ssl_certificate_by_lua with return ngx.exit(ngx.HTTP_FORBIDDEN). I'm
not sure how much CPU time or network bandwidth you would save by
doing this - if any.
Rainer
hussain nagri
Jun 14, 2022, 10:04:04 AM6/14/22
to openresty-en
Hey,
Can you please tell me how do I get IP address in or before ssl_certificate_by_lua?
Can you please tell me how do I get IP address in or before ssl_certificate_by_lua?
On Tuesday, June 14, 2022 at 9:46:53 AM UTC+5:30 reflection_probe wrote:
Rainer Canavan
Jun 14, 2022, 10:08:48 AM6/14/22
to openre...@googlegroups.com
On Tue, Jun 14, 2022 at 4:04 PM hussain nagri <nagri....@gmail.com> wrote:
>
> Hey,
> Can you please tell me how do I get IP address in or before ssl_certificate_by_lua?
ssl.raw_client_addr()
>
> Hey,
> Can you please tell me how do I get IP address in or before ssl_certificate_by_lua?
https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#raw_client_addr
Note that this will return an incorrect address if you use a haproxy
or similar system with proxy protocol in front of your nginx.
Rainer
Reply all
Reply to author
Forward
0 new messages