need some guidance

34 views
Skip to first unread message

abc def

unread,
Jun 30, 2021, 6:04:33 AMJun 30
to openresty-en
Hello, 

I would like to use openresty as a authentication/authorization gateway based on (client) SSL certificate and proxy the request to a backend node ( using SSL,  including websocket connections) 

To give some context, I would like to do the following when the client connect to openresty:

1) Terminate the TLS connection and verify that the client certificate is valid
2) retrieve some headers (if any ) and the CN of the user
3) connect to lru cache or redis to do some verification
4) check in the (encrypted) cookie if the client have a valid token ( if any )
5) set the client certificate in the header
6) proxy pass to the appropriate backend based on the SNI ( using https, not http )

On this frontend, I will have 3 locations /login /logout and then proxypass everything else.

I will use "lua-resty-redis" for point "3" 

I will try this lua module example  for the cookie https://gist.github.com/mbyczkowski/9b64652e3472ec8a463069db8b84ae7f  for point "4".

Based on the configuration below, should I use  "access_by_lua_file" or is there a better way to approach the scenario described at the beginning ? 

Example of configuration 

<pre><code>

server {
        listen       443 ssl default_server;
        ssl_certificate  server.test.cert.pem;
        ssl_certificate_key server.test.key;
        ssl_client_certificate server.test.ca.pem;
        ssl_verify_client on;
        ssl_verify_depth 2;
        ssl_protocols TLSv1.3;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        location /login {
            proxy_pass 127.0.0.1:8000
         } 

         location /logout {
             proxy_pass 127.0.0.1:8000
         } 

         try_files @proxy;

         location @proxy {
              access_by_lua_file  path/to/redis/module.lua
              access_by_lua_file path/to/cookie/module.lua

              add_header  X-Client-Cert   $ssl_client_cert;

              map $ssl_preread_server_name $targetBackend {
                    ~^(?<app>.+)-(?<namespace>.+).mydomain.com$    $app-public.$namespace.internal.com:8443;
             }

              proxy_pass  https://$targetBackend ;
              proxy_ssl_session_reuse on;
              proxy_ssl_certificate /etc/nginx/client.pem;
              proxy_ssl_verify on;
              proxy_ssl_verify_depth 2;
              proxy_ssl_session_reuse on;
        }

</code></pre>


Thanks







jona...@findmeon.com

unread,
Aug 11, 2021, 3:56:18 PMAug 11
to openresty-en
Just above the openresty docs for `lua_load_resty_core` is a graphic about the request lifecycle:

     https://github.com/openresty/lua-nginx-module/#lua_load_resty_core

You may be able to do everything in an access_ hook, or you may also want to ALSO use an earlier ssl_ hook or later content_ hook.

Sometimes you need to use multiple hooks to accomplish your task.
Reply all
Reply to author
Forward
0 new messages