nginx+lua(openresty)实现黑/白名单权限控制的示例
openresty在nginx基础上集成了很多功能,比如可以直接调用redis,mysql,http接口等服务,比较流行的网关kong就是通过openresty实现的。日常开发和运维离不开nginx,实现稍微复杂的功能:简单权限控制,灰度发布等就可以通过openresty实现。
本文通过openresty定时器定期请求http接口获取更新的黑名单数据,过滤用户并做进一步的判断(结合实际的业务需求)进行权限管控。话不多说,直接上nginx.conf代码如下。
user root; worker_processes auto; worker_cpu_affinity auto; error_log logs/error.log error; worker_rlimit_nofile 30000; pid logs/nginx.pid; events { use epoll; worker_connections 65535; } http { #include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; server_tokens off; underscores_in_headers on; keepalive_timeout 10; send_timeout 60; include /usr/local/nginx/conf/online/*.conf; #下面四行和lua相关,重点看一下 lua_shared_dict portalCache 10m;#多进程共享内存变量 lua_shared_dict commonCache 1m; init_by_lua_file /home/www/example/lua/api_init.lua;#初始化全局变量 init_worker_by_lua_file /home/www/example/lua/api_timer.lua; #启动定时器定期调用接口 upstream portalBackend { server xxx weight=3; server xxx weight=1; } upstream labelBackend { server xxx; server xxx; } upstream portalBackendOnQlikTicket { server xxx; server xxx; } upstream portalClient { server xxx; server xxx; } upstream portalAdmin { server xxx; server xxx; } upstream labelFrontend { server xxx; server xxx; } upstream bigScreen { server xxx; server xxx; } upstream mobile { server xxx; server xxx; } upstream portalMobile { server xxx; server xxx; } server { listen 80; server_name localhost hportal-uat.hikvision.com.cn; #charset koi8-r; #access_log logs/host.access.log main; location / { proxy_pass http://portalClient; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-real-ip $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPT IONS'; add_header Access-Control-Allow-Credentials 'true'; add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Aliv e,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Autho rization,Origin,Accept'; } location /ptclient { proxy_pass http://portalClient/ptclient; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-real-ip $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPT IONS'; add_header Access-Control-Allow-Credentials 'true'; add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Aliv e,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Autho rization,Origin,Accept'; } location /ptadmin { proxy_pass http://portalAdmin/ptadmin; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-real-ip $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /api/ { #...............error.log......notice rewrite_log on; #............... rewrite ^/api/(.*)$ /$1 break; proxy_pass http://portalBackend; proxy_http_version 1.1; proxy_redirect off; proxy_set_header Host $host; proxy_set_header Origin ''; proxy_set_header X-real-ip $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS'; add_header Access-Control-Allow-Credentials 'true'; add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,A uthorization,Origin,Accept'; } location /api/checkVmPermission { default_type text/html; access_by_lua_file /home/www/example/lua/api_access.lua; } location /api/test { content_by_lua_block { local portalCache = ngx.shared.portalCache; ngx.say(portalCache:get("userAccountList")) } } location @router{ rewrite ^.*$ /index.html last; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } } #上述代码段中的接口只需要关注 /api/checkVmPermission和/api/test 即可。
api_init.lua代码如下所示:
json = require "cjson.safe" http = require("resty.http") interval = 60 portalCache = ngx.shared.portalCache ipList = {"xxx.xxx.xxx.xxx","xxx.xxx.xxx.xxx"......} portalCache:set("flag", true) portalCache:set("ipList", json.encode(ipList))
api_timer.lua代码如下所示:
local function newClient() local httpC = http.new() return httpC end local handler = function (premature) local httpc = newClient() local resp,err = httpc:request_uri("http://10.10.10.10:8080", { method = "GET", path = "/xxx/xxx", --请求的校验字段 headers = { ["VM_HEADER"] = "xxxxx" } }) --array为类型table,需要序列化之后才能存入portalCache local array = json.decode(resp.body).data portalCache:set("userAccountList", json.encode(array)) end --只有一个进程负责定时任务 if 0 == ngx.worker.id() then local ok, err = ngx.timer.every(interval, handler) if not ok then log(ERR, "failed to get userAccountList: ", err) return end end
api_access.lua代码如下所示:
function account_is_include(value, tab) --string 转table local table = json.decode(tab) for k,v in ipairs(table) do if string.lower(v) == string.lower(value) then return true end end return false end function ip_is_include(value, tab) for k,v in ipairs(tab) do if string.find(value, v) ~= nil then return true end end return false end local function newClient() local httpC = http.new() return httpC end local handler = function (premature) local httpc = newClient() local resp,err = httpc:request_uri("http://xx.xx.xx.xx:xxxx", { method = "GET", path = "/xxx/xxx", headers = { ["VM_HEADER"] = "xxx" } }) local array = json.encode(json.decode(resp.body).data) portalCache:set("userAccountList", array) end --nginx启动时先调用一次 if portalCache:get("flag") then portalCache:set("flag", false) handler() end check_userAccount = portalCache:get("userAccountList") check_ip = json.decode(portalCache:get("ipList")) if nil == check_userAccount or nil == check_ip then return ngx.exit(500) end local headers = ngx.req.get_headers() local userAccount = headers["userAccount"] if userAccount == nil then return ngx.exit(401) end if account_is_include(userAccount, check_userAccount) then local clientIP = headers["x-forwarded-for"] if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then clientIP = headers["Proxy-Client-IP"] end if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then clientIP = headers["WL-Proxy-Client-IP"] end if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then clientIP = ngx.var.remote_addr end -- ...............IP......IP,..IP..','.. if clientIP ~= nil and string.len(clientIP) >15 then local pos = string.find(clientIP, ",", 1) clientIP = string.sub(clientIP,1,pos-1) end if clientIP == nil then return ngx.exit(500) end if ip_is_include(clientIP, check_ip) then return ngx.say(userAccount .. " " .. "Welcome to Hportal! (VM-IP:" .. clientIP ..")") else ngx.status = 403 ngx.say("Error! Restricted permissions! Your IP is " .. clientIP .. ". Make sure your IP is within this range: " .. json.encode(check_ip)) end else ngx.say(userAccount .. " " .. "Welcome to Hportal!") end
最后实现效果如下所示:
常见问题汇总:
1.init_worker_by_lua_file error: /usr/local/openresty/lualib/resty/http.lua:133: API disabled in the context of init_worker_by_lua*
stack traceback:
[C]: in function 'ngx_socket_tcp'
/usr/local/openresty/lualib/resty/http.lua:133: in function 'new'
/home/www/example/lua/api_timer.lua:6: in function 'newClient'
/home/www/example/lua/api_timer.lua:21: in function 'getUserAccountTask'
/home/www/example/lua/api_timer.lua:35: in main chunk
答:在init_worker_by_lua...中不能直接调报表http的函数,必须在定时器里面调用。
2.json.decode(resp.body).data (table类型)无法直接放入公共缓存变量的value中
答:set时需要将table转为string,get时再转为table。
3. 如何访问http接口
答:推荐使用httpc,openresty本身不支持,需要在/usr/local/openresty/lualib/resty目录下引入以下三个文件:https://github.com/ledgetech/lua-resty-http/tree/master/lib/resty
4.如何获取请求真实ip地址?
local headers=ngx.req.get_headers() local clientIP = headers["x-forwarded-for"] if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then clientIP = headers["Proxy-Client-IP"] end if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then clientIP = headers["WL-Proxy-Client-IP"] end if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then clientIP = ngx.var.remote_addr end -- 对于通过多个代理的情况,第一个IP为客户端真实IP,多个IP按照','分割 if clientIP ~= nil and string.len(clientIP) >15 then local pos = string.find(clientIP, ",", 1) clientIP = string.sub(clientIP,1,pos-1) end
到此这篇关于nginx+lua(openresty)实现黑/白名单权限控制的示例的文章就介绍到这了,更多相关nginx 黑/白名单权限控制内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!
最新评论