nginx authmemcookie approach

martin.gee · 2014-12-05T09:45:21+00:00

Hello! On Thu, Dec 4, 2014 at 4:15 AM, rvsw wrote: > I added the following in header_filter_by_lua > ngx.log(ngx.ERR, "ngx.var.proxy_host ",...

nginx authmemcookie approach

martin.gee

I'm using authmemcookie as a standard to put data in memcached.

In my nginx conf (lua code) I retrieve / tokenize the memcookie session. Using "Groups", I would like to restrict access to certain location blocks based on a Groups entry. E.g. Employee.

server {

server_name app1.spg-dev.icsynergy.info;

listen 443;

set $Groups '';

# get session from memcached. Use ngx.var.Groups = 'Employee:Everyone' ...

access_by_lua_file conf/authSession.lua;

# set headers retrieved from memcached session

proxy_set_header groups $Groups;

location /fidata {

# THIS NEVER WORKS

if ($Groups !~* 'Employee') {

return 401;

}

proxy_pass http://127.0.0.1:8080;

}

Q) In apache there is a Auth_memCookie module that uses the "require" directive. Is there something like that in NGINX / Lua?

Q) I'm pretty the failing if ($Groups) is a phase problem. Which phase should the lua code be run?

Q) I'll likely have many location blocks. Is there cleaner approach?

agentzh

Hello!

On Thu, Dec 4, 2014 at 8:17 AM, Martin Gee wrote:
> server {
[...]
>     access_by_lua_file conf/authSession.lua;
>

Be careful with access_by_lua_file directly on the server {} (or even
http {}) block level. Because it will get inherited by *all* the
containing locations including those for error_page redirection.

>
> Q) In apache there is a Auth_memCookie module that uses the "require"
> directive.  Is there something like that in NGINX / Lua?

Well, you can use Lua for such things, for example,

    location /myprotectedurl {
        access_by_lua 'require("authsession").require("valid-user")';
    }

    location /myprotectedurlgroup1 {
        access_by_lua 'require("authsession").require("group", "group1")';
    }

> Q) I'm pretty the failing if ($Groups) is a phase problem. Which phase
> should the lua code be run?

Avoid the evil if's. Do all the logic in Lua (in your authsession Lua module).

> Q) I'll likely have many location blocks.  Is there cleaner approach?
>

See above. We can make things even simpler by defining a global Lua
function named auth_require() in init_by_lua though use of custom Lua
global variables is generally discouraged for (big) Lua apps. For
example,

    init_by_lua '
        local authsession = require("authsession")
        auth_require = authsession.require  -- define a Lua global!
    ';

And then

    location /myprotectedurl {
        access_by_lua 'auth_require("valid-user")';
    }

    location /myprotectedurlgroup1 {
        access_by_lua 'auth_require("group", "group1")';
    }

We can simplify this further if nginx's configuration language
supports macros :)

Regards,
-agentzh