LUA evaluated before other rules

aflorescu · 2016-03-15T05:11:30+00:00

On Thursday, 17 March 2016 02:08:55 UTC+2, agentzh wrote:Hello! On Wed, Mar 16, 2016 at 2:54 PM, Aapo Talvensaari wrote: > I have actually seen that...

LUA evaluated before other rules

aflorescu

Hi there,

I have the following rules in nginx:

server {
[...]
include /usr/local/openresty/nginx/whitelist;
deny all;

location / {
auth_basic "private";
auth_basic_user_file /usr/local/openresty/nginx/htpasswd;

    rewrite_by_lua '
       if ngx.var.request_method == "POST" then
         ngx.req.read_body()
         local body = ngx.req.get_body_data()

        if body then
          local select = "keyword"
          local match = ngx.re.match(body, select, "jo")
         if not match then
          ngx.exit(400)
         end
        end
       end
    ';

    proxy_pass http://backend;
 }
}

The problem is "deny all" and "auth_basic" come in effect only if the POST body contains the matching keyword. In other words, LUA matches first and if it is successful, only then it will check if the IP is whitelisted or if the request contains auth_basic.

Which is weird, I would have expected the following flow:

1. check whitelist

2. check auth_basic

3. check lua match

instead it's:

1. check lua match

2. check whitelist

3. check auth_basic

Is this normal or is there something wrong with my conf?

rpaprocki

Rewrite phase handlers run before access phase handler (which is where auth_basic runs). You should move your lua block to an access_by_lua handler.

On Mar 14, 2016, at 14:11, aflo...@tremend.ro wrote:

Hi there,

I have the following rules in nginx:

server { [...] include /usr/local/openresty/nginx/whitelist; deny all; location / { auth_basic "private"; auth_basic_user_file /usr/local/openresty/nginx/htpasswd; rewrite_by_lua ' if ngx.var.request_method == "POST" then ngx.req.read_body() local body = ngx.req.get_body_data() if body then local select = "keyword" local match = ngx.re.match(body, select, "jo") if not match then ngx.exit(400) end end end '; proxy_pass http://backend; } }

The problem is "deny all" and "auth_basic" come in effect only if the POST body contains the matching keyword. In other words, LUA matches first and if it is successful, only then it will check if the IP is whitelisted or if the request contains auth_basic.
Which is weird, I would have expected the following flow:
1. check whitelist
2. check auth_basic
3. check lua match

instead it's:
1. check lua match
2. check whitelist
3. check auth_basic

Is this normal or is there something wrong with my conf?

.

aflorescu

Well that was straight forward :)

Thanks!

On Monday, March 14, 2016 at 9:52:20 PM UTC, rpaprocki wrote:

Rewrite phase handlers run before access phase handler (which is where auth_basic runs). You should move your lua block to an access_by_lua handler.