Hello,
I would like to use openresty as a authentication/authorization gateway based on (client) SSL certificate and proxy the request to a backend node ( using SSL, including websocket connections)
To give some context, I would like to do the following when the client connect to openresty:
1) Terminate the TLS connection and verify that the client certificate is valid
2) retrieve some headers (if any ) and the CN of the user
3) connect to lru cache or redis to do some verification
4) check in the (encrypted) cookie if the client have a valid token ( if any )
5) set the client certificate in the header
6) proxy pass to the appropriate backend based on the SNI ( using https, not http )
On this frontend, I will have 3 locations /login /logout and then proxypass everything else.
I will use "lua-resty-redis" for point "3"
I will try this lua module example for the cookie
https://gist.github.com/mbyczkowski/9b64652e3472ec8a463069db8b84ae7f for point "4".
Based on the configuration below, should I use "access_by_lua_file" or is there a better way to approach the scenario described at the beginning ?
Example of configuration
<pre><code>
server {
listen 443 ssl default_server;
ssl_certificate server.test.cert.pem;
ssl_certificate_key server.test.key;
ssl_client_certificate server.test.ca.pem;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_protocols TLSv1.3;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
proxy_pass
127.0.0.1:8000 }
try_files @proxy;
location @proxy {
access_by_lua_file
path/to/redis/module.lua
access_by_lua_file path/to/cookie/module.lua
proxy_pass https://$targetBackend ;
proxy_ssl_session_reuse on;
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
</code></pre>
Thanks