need some guidance
87 views
Skip to first unread message
abc def
Jun 30, 2021, 6:04:33 AM6/30/21
to openresty-en
Hello,
I would like to use openresty as a authentication/authorization gateway based on (client) SSL certificate and proxy the request to a backend node ( using SSL, including websocket connections)
To give some context, I would like to do the following when the client connect to openresty:
I will use "lua-resty-redis" for point "3"
I will try this lua module example for the cookie https://gist.github.com/mbyczkowski/9b64652e3472ec8a463069db8b84ae7f for point "4".
Based on the configuration below, should I use "access_by_lua_file" or is there a better way to approach the scenario described at the beginning ?
Example of configuration
}
location @proxy {
access_by_lua_file path/to/redis/module.lua
access_by_lua_file path/to/cookie/module.lua
Thanks
I would like to use openresty as a authentication/authorization gateway based on (client) SSL certificate and proxy the request to a backend node ( using SSL, including websocket connections)
To give some context, I would like to do the following when the client connect to openresty:
1) Terminate the TLS connection and verify that the client certificate is valid
2) retrieve some headers (if any ) and the CN of the user
3) connect to lru cache or redis to do some verification
4) check in the (encrypted) cookie if the client have a valid token ( if any )
5) set the client certificate in the header
6) proxy pass to the appropriate backend based on the SNI ( using https, not http )
On this frontend, I will have 3 locations /login /logout and then proxypass everything else.
6) proxy pass to the appropriate backend based on the SNI ( using https, not http )
On this frontend, I will have 3 locations /login /logout and then proxypass everything else.
I will use "lua-resty-redis" for point "3"
I will try this lua module example for the cookie https://gist.github.com/mbyczkowski/9b64652e3472ec8a463069db8b84ae7f for point "4".
Based on the configuration below, should I use "access_by_lua_file" or is there a better way to approach the scenario described at the beginning ?
Example of configuration
<pre><code>
proxy_pass 127.0.0.1:8000server {
listen 443 ssl default_server;
ssl_certificate server.test.cert.pem;
ssl_certificate_key server.test.key;
ssl_client_certificate server.test.ca.pem;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_protocols TLSv1.3;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
}
try_files @proxy;
location @proxy {
access_by_lua_file path/to/redis/module.lua
access_by_lua_file path/to/cookie/module.lua
add_header
X-Client-Cert $ssl_client_cert;
map $ssl_preread_server_name $targetBackend {
~^(?<app>.+)-(?<namespace>.+).mydomain.com$ $app-public.$namespace.internal.com:8443;
}
map $ssl_preread_server_name $targetBackend {
~^(?<app>.+)-(?<namespace>.+).mydomain.com$ $app-public.$namespace.internal.com:8443;
}
proxy_pass https://$targetBackend ;
proxy_ssl_session_reuse on;
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
</code></pre>
Thanks
jona...@findmeon.com
Aug 11, 2021, 3:56:18 PM8/11/21
to openresty-en
Just above the openresty docs for `lua_load_resty_core` is a graphic about the request lifecycle:
https://github.com/openresty/lua-nginx-module/#lua_load_resty_core
https://github.com/openresty/lua-nginx-module/#lua_load_resty_core
You may be able to do everything in an access_ hook, or you may also want to ALSO use an earlier ssl_ hook or later content_ hook.
Sometimes you need to use multiple hooks to accomplish your task.
Sometimes you need to use multiple hooks to accomplish your task.
Reply all
Reply to author
Forward
0 new messages