On Sat, Jun 20, 2015 at 9:54 AM, Yichun Zhang (agentzh)
<age...@gmail.com> wrote:
> Hello!
>
> On Fri, Jun 19, 2015 at 10:20 PM, Vader Mader wrote:
>> However, my problem is that set_encrypt_session actually runs in the
>> rewrite phase before my authentication back end like this:
>>
>> location / {
>> root /var/www;
>> index index.html index.htm;
>>
>> set_encrypt_session $enc_auth_tok $new_auth_tok;
>> set_encode_base32 $b32 $enc_auth_tok;
>>
>> auth_request /auth;
>> auth_request_set $new_auth_tok $upstream_http_auth_tok;
>>
>> add_header Set-Cookie $cond_cookie_k$cond_cookie_v;
>> }
>>
>> Is there any way to encrypt after the access phase?
>>
>
> Yes, but your configuration needs a rework with a little bit of Lua.
>
> Basically you can use the access_by_lua or access_by_lua_file
> directive to replace your auth_request* and set_decrypt_session
> directives in that location. The ndk.set_var.DIRECTIVE API [1]
> provided by Lua can be used to invoke the set_decrypt_session and
> set_decode_base32 directives directly from within Lua. And you can
> mimic auth_request with ngx.location.capture() [2] for example, for
> better, directly re-implement the logic in location /auth directly to
> save the overhead of a subrequest (initiated by auth_request or
> ngx.location.capture).
>
> With the help of Lua, you don't have to fight nginx directives'
> running orders and you have the full scripting capabilities at the
> same time with little extra overhead.
Thanks for your reply.
Is there any way to combine auth_request and xxx_by_lua?
My thought was to limit Lua overhead unless new token is
issued.
I experimented with something like the following but the
Lua code always seems to run but variables set in the script
aren't returned.
location = /auth {
set_decode_base32 $b32 $cookie_my_login;
set_decrypt_session $auth_tok $b32;
if ($auth_tok != '') {
return 200;
}
include fastcgi_params;
fastcgi_pass unix:/tmp/fcgi_auth_tok_gen.sock;
access_by_lua '
local enc = ngx.set_var.set_encrypt_session(new_auth_tok)
local b32 = ngx.set_var.set_encode_base32(enc)
...
';
}