OpenResty vs Nginx Plus Decision

jvburnes · 2018-06-28T06:44:29+00:00

I am trying to find which is the best way to implement this "private API" architecture in terms of speed (performance). This is the problem I am trying to so...

OpenResty vs Nginx Plus Decision

jvburnes

Hi,

I'm working on a security architecture model for an API gateway based on Nginx. We need to do authentication at the gateway. Authentication types are 'local', 'LDAP/AD' and OIDC.

The architecture group for some reason is preferring Nginx Plus. I've not decided but it looks like OpenResty provides the same or more functionality. (I'll admit I'm a fan of LuaJIT having written an OS with it :)

I know the OIDC plugin for Resty does the authentication, JWT session token and session management in the plugin and presents an authentication or userinfo header to the upstream services.

Would it be easy enough to just tweak the OIDC plugin to redirect id's like 'local/joeuser' and '<domain>/joeuser' to the requisite OpenResty plugins and then change those plugins slightly to assert the same userinfo headers to the upstream services?

How would this model be any different or difficult on Nginx Plus?

BTW: I've already suggested maybe Kong to do much of the heavy lifting, but they thought it was too heavy weight.

Thank you very much for any help.

Jim Burnes

cooper

As an employee of Kong, I'd love to hear more details on why your colleagues think that Kong may be too heavy weight - can you share? If you'd prefer to keep this thread on-topic, please feel free to post your response in https://discuss.konghq.com/

We gain many users who tell us "I love how lightweight Kong is!" :)

Given your possible interest in Kong + OIDC and JWT, you may find this useful, or at least interesting https://discuss.konghq.com/t/community-plugins-optum-public-kong-plugins/1214

Thanks in advance, Cooper

Cooper Marcus, Director of Ecosystem at Kong

co...@konghq.com

https://KongHQ.com

On Wednesday, June 27, 2018 at 3:44:29 PM UTC-7, Jim Burnes wrote:

Hi,

I'm working on a security architecture model for an API gateway based on Nginx. We need to do authentication at the gateway. Authentication types are 'local', 'LDAP/AD' and OIDC.

The architecture group for some reason is preferring Nginx Plus. I've not decided but it looks like OpenResty provides the same or more functionality. (I'll admit I'm a fan of LuaJIT having written an OS with it :)

I know the OIDC plugin for Resty does the authentication, JWT session token and session management in the plugin and presents an authentication or userinfo header to the upstream services.

Would it be easy enough to just tweak the OIDC plugin to redirect id's like 'local/joeuser' and '<domain>/joeuser' to the requisite OpenResty plugins and then change those plugins slightly to assert the same userinfo headers to the upstream services?

How would this model be any different or difficult on Nginx Plus?

BTW: I've already suggested maybe Kong to do much of the heavy lifting, but they thought it was too heavy weight.

Thank you very much for any help.

Jim Burnes

jvburnes

Cooper,

Yeah I'm not really sure what their reasoning was. Initially they said they didn't need it because their API wasn't REST-orineted. I thought, "Well if you expose it via a REST gateway, by default it's REST oriented". I also was wondering how they were going to manage the ACLS on the API. Manually configure them? I was a bit confused because I read your online docs on the OIDC plugin it seemed like a pretty clean solution. My only question was (because I hadn't programmed OpenResty plugins before) how do you integrate the upstream x-userinfo headers with non-OIDC authentication methods. For that matter how do you integrate session management also. The obvious, but heavyweight solution is to create OIDC providers for your other authentication methods and treat everyone the same.

I'm an application security engineer, so even though I'm a software engineer I don't program the API authentication. I just help the devs pick compliant security solutions and try to enforce compliance.

On Wed, Jun 27, 2018 at 6:12 PM Cooper Marcus <co...@konghq.com> wrote:

As an employee of Kong, I'd love to hear more details on why your colleagues think that Kong may be too heavy weight - can you share? If you'd prefer to keep this thread on-topic, please feel free to post your response in https://discuss.konghq.com/

We gain many users who tell us "I love how lightweight Kong is!" :)

Given your possible interest in Kong + OIDC and JWT, you may find this useful, or at least interesting https://discuss.konghq.com/t/community-plugins-optum-public-kong-plugins/1214

Thanks in advance, Cooper

--
Cooper Marcus, Director of Ecosystem at Kong
co...@konghq.com
https://KongHQ.com

On Wednesday, June 27, 2018 at 3:44:29 PM UTC-7, Jim Burnes wrote:
Hi,

I'm working on a security architecture model for an API gateway based on Nginx. We need to do authentication at the gateway. Authentication types are 'local', 'LDAP/AD' and OIDC.

The architecture group for some reason is preferring Nginx Plus. I've not decided but it looks like OpenResty provides the same or more functionality. (I'll admit I'm a fan of LuaJIT having written an OS with it :)

I know the OIDC plugin for Resty does the authentication, JWT session token and session management in the plugin and presents an authentication or userinfo header to the upstream services.

Would it be easy enough to just tweak the OIDC plugin to redirect id's like 'local/joeuser' and '<domain>/joeuser' to the requisite OpenResty plugins and then change those plugins slightly to assert the same userinfo headers to the upstream services?

How would this model be any different or difficult on Nginx Plus?

BTW: I've already suggested maybe Kong to do much of the heavy lifting, but they thought it was too heavy weight.

Thank you very much for any help.

Jim Burnes

.

peter_booth

You know it’s pretty common for technologists to make decisions based on fear or fashion rather than logic. I have no personal stake in the game. I’m a huge fan of nginx and a huge fan of openresty and I have no experience with nginx plus. The team that builds nginx plus is superb. The developer of openresty is superb.

When I really depended upon openresty I was shocked that every one of my crazy use cases was supportable. At that time, if nginx plus had been available I’m sure that my then client would have much preferred to pay for support. Sometimes it’s just about what the organization can handle.

Peter

Sent from my iPhone

On Jun 27, 2018, at 6:44 PM, Jim Burnes <jvb...@gmail.com> wrote:

Hi,

I'm working on a security architecture model for an API gateway based on Nginx. We need to do authentication at the gateway. Authentication types are 'local', 'LDAP/AD' and OIDC.

The architecture group for some reason is preferring Nginx Plus. I've not decided but it looks like OpenResty provides the same or more functionality. (I'll admit I'm a fan of LuaJIT having written an OS with it :)

I know the OIDC plugin for Resty does the authentication, JWT session token and session management in the plugin and presents an authentication or userinfo header to the upstream services.

Would it be easy enough to just tweak the OIDC plugin to redirect id's like 'local/joeuser' and '<domain>/joeuser' to the requisite OpenResty plugins and then change those plugins slightly to assert the same userinfo headers to the upstream services?

How would this model be any different or difficult on Nginx Plus?

BTW: I've already suggested maybe Kong to do much of the heavy lifting, but they thought it was too heavy weight.

Thank you very much for any help.

Jim Burnes

.

jonathan

On Wednesday, June 27, 2018 at 6:44:29 PM UTC-4, Jim Burnes wrote:

Would it be easy enough to just tweak the OIDC plugin to redirect id's like 'local/joeuser' and '<domain>/joeuser' to the requisite OpenResty plugins and then change those plugins slightly to assert the same userinfo headers to the upstream services?

Last I checked, there were a few OIDC implementations for OpenResty. Many OpenResty packages, including the top OIDC search result I looked at, tend to be written with two types of functionality:

* library methods
* (typically short) logic flows for the nginx/openresty hooks

instead of forking a plugin, many people will just write a custom hook that reimplements the packaged hook slightly differently

I'm an application security engineer, so even though I'm a software engineer I don't program the API authentication. I just help the devs pick compliant security solutions and try to enforce compliance.

i switched from nginx to openresty a few years ago just to get dynamic ssl certificate functionality (query a backend for the certificate matching the SNI). It took me a few hours to learn enough lua and openresty to prototype a v1, and under a day to finalize it with a multi-tiered cache. the point: it's really fast to prototype a proof-of-concept.

If i were in your position, I'd ask the app devs to do a quick 2-3hr prototype on how they envision the integration in each platform, then take a look at the implementation/libraries for glaring errors.

jvburnes

I was thinking the same thing. Use a custom hook/shim to select and invoke the proper authentication plugin then send the proper x-userinfo assertion upstream.

Then it's just a matter of synchronizing session management. I'll suggest it.

thx

On Wed, Jun 27, 2018 at 11:58 PM <jon...@findmeon.com> wrote:

On Wednesday, June 27, 2018 at 6:44:29 PM UTC-4, Jim Burnes wrote:

Would it be easy enough to just tweak the OIDC plugin to redirect id's like 'local/joeuser' and '<domain>/joeuser' to the requisite OpenResty plugins and then change those plugins slightly to assert the same userinfo headers to the upstream services?

Last I checked, there were a few OIDC implementations for OpenResty. Many OpenResty packages, including the top OIDC search result I looked at, tend to be written with two types of functionality:

* library methods
* (typically short) logic flows for the nginx/openresty hooks

instead of forking a plugin, many people will just write a custom hook that reimplements the packaged hook slightly differently

I'm an application security engineer, so even though I'm a software engineer I don't program the API authentication. I just help the devs pick compliant security solutions and try to enforce compliance.

i switched from nginx to openresty a few years ago just to get dynamic ssl certificate functionality (query a backend for the certificate matching the SNI). It took me a few hours to learn enough lua and openresty to prototype a v1, and under a day to finalize it with a multi-tiered cache. the point: it's really fast to prototype a proof-of-concept.

If i were in your position, I'd ask the app devs to do a quick 2-3hr prototype on how they envision the integration in each platform, then take a look at the implementation/libraries for glaring errors.

.

jvburnes

BTW: What's the best tutorial / reference docs for openresty plugin development. Perhaps I can prototype something for them.

On Thu, Jun 28, 2018 at 1:03 AM Jim Burnes <jvb...@gmail.com> wrote:

I was thinking the same thing. Use a custom hook/shim to select and invoke the proper authentication plugin then send the proper x-userinfo assertion upstream.

Then it's just a matter of synchronizing session management. I'll suggest it.

thx

On Wed, Jun 27, 2018 at 11:58 PM <jon...@findmeon.com> wrote:

On Wednesday, June 27, 2018 at 6:44:29 PM UTC-4, Jim Burnes wrote:

Would it be easy enough to just tweak the OIDC plugin to redirect id's like 'local/joeuser' and '<domain>/joeuser' to the requisite OpenResty plugins and then change those plugins slightly to assert the same userinfo headers to the upstream services?

Last I checked, there were a few OIDC implementations for OpenResty. Many OpenResty packages, including the top OIDC search result I looked at, tend to be written with two types of functionality:

* library methods
* (typically short) logic flows for the nginx/openresty hooks

instead of forking a plugin, many people will just write a custom hook that reimplements the packaged hook slightly differently

I'm an application security engineer, so even though I'm a software engineer I don't program the API authentication. I just help the devs pick compliant security solutions and try to enforce compliance.

i switched from nginx to openresty a few years ago just to get dynamic ssl certificate functionality (query a backend for the certificate matching the SNI). It took me a few hours to learn enough lua and openresty to prototype a v1, and under a day to finalize it with a multi-tiered cache. the point: it's really fast to prototype a proof-of-concept.

If i were in your position, I'd ask the app devs to do a quick 2-3hr prototype on how they envision the integration in each platform, then take a look at the implementation/libraries for glaring errors.

.

jonathan

the only one I know of is the docs for the OPM tool

https://github.com/openresty/opm#author-workflow

i built my plugin by modeling it after a few others.