nginx+lua(openresty)实现黑/白名单权限控制的示例
作者:lgq2016
本文介绍了如何使用Openresty进行权限控制和灰度发布,具体通过定时器定期更新黑名单数据,进行用户过滤和权限管控,具有一定的参考价值,感兴趣的可以了解一下
openresty在nginx基础上集成了很多功能,比如可以直接调用redis,mysql,http接口等服务,比较流行的网关kong就是通过openresty实现的。日常开发和运维离不开nginx,实现稍微复杂的功能:简单权限控制,灰度发布等就可以通过openresty实现。
本文通过openresty定时器定期请求http接口获取更新的黑名单数据,过滤用户并做进一步的判断(结合实际的业务需求)进行权限管控。话不多说,直接上nginx.conf代码如下。
user root;
worker_processes auto;
worker_cpu_affinity auto;
error_log logs/error.log error;
worker_rlimit_nofile 30000;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 65535;
}
http {
#include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
server_tokens off;
underscores_in_headers on;
keepalive_timeout 10;
send_timeout 60;
include /usr/local/nginx/conf/online/*.conf;
#下面四行和lua相关,重点看一下
lua_shared_dict portalCache 10m;#多进程共享内存变量
lua_shared_dict commonCache 1m;
init_by_lua_file /home/www/example/lua/api_init.lua;#初始化全局变量
init_worker_by_lua_file /home/www/example/lua/api_timer.lua; #启动定时器定期调用接口
upstream portalBackend {
server xxx weight=3;
server xxx weight=1;
}
upstream labelBackend {
server xxx;
server xxx;
}
upstream portalBackendOnQlikTicket {
server xxx;
server xxx;
}
upstream portalClient {
server xxx;
server xxx;
}
upstream portalAdmin {
server xxx;
server xxx;
}
upstream labelFrontend {
server xxx;
server xxx;
}
upstream bigScreen {
server xxx;
server xxx;
}
upstream mobile {
server xxx;
server xxx;
}
upstream portalMobile {
server xxx;
server xxx;
}
server {
listen 80;
server_name localhost hportal-uat.hikvision.com.cn;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http://portalClient;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPT IONS';
add_header Access-Control-Allow-Credentials 'true';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Aliv e,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Autho rization,Origin,Accept';
}
location /ptclient {
proxy_pass http://portalClient/ptclient;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPT IONS';
add_header Access-Control-Allow-Credentials 'true';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Aliv e,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Autho rization,Origin,Accept';
}
location /ptadmin {
proxy_pass http://portalAdmin/ptadmin;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api/ {
#...............error.log......notice
rewrite_log on;
#...............
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://portalBackend;
proxy_http_version 1.1;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Origin '';
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
add_header Access-Control-Allow-Credentials 'true';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,A uthorization,Origin,Accept';
}
location /api/checkVmPermission {
default_type text/html;
access_by_lua_file /home/www/example/lua/api_access.lua;
}
location /api/test {
content_by_lua_block {
local portalCache = ngx.shared.portalCache;
ngx.say(portalCache:get("userAccountList"))
}
}
location @router{
rewrite ^.*$ /index.html last;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
#上述代码段中的接口只需要关注 /api/checkVmPermission和/api/test 即可。
api_init.lua代码如下所示:
json = require "cjson.safe"
http = require("resty.http")
interval = 60
portalCache = ngx.shared.portalCache
ipList = {"xxx.xxx.xxx.xxx","xxx.xxx.xxx.xxx"......}
portalCache:set("flag", true)
portalCache:set("ipList", json.encode(ipList))
api_timer.lua代码如下所示:
local function newClient()
local httpC = http.new()
return httpC
end
local handler = function (premature)
local httpc = newClient()
local resp,err = httpc:request_uri("http://10.10.10.10:8080", {
method = "GET",
path = "/xxx/xxx",
--请求的校验字段
headers = {
["VM_HEADER"] = "xxxxx"
}
})
--array为类型table,需要序列化之后才能存入portalCache
local array = json.decode(resp.body).data
portalCache:set("userAccountList", json.encode(array))
end
--只有一个进程负责定时任务
if 0 == ngx.worker.id() then
local ok, err = ngx.timer.every(interval, handler)
if not ok then
log(ERR, "failed to get userAccountList: ", err)
return
end
end
api_access.lua代码如下所示:
function account_is_include(value, tab)
--string 转table
local table = json.decode(tab)
for k,v in ipairs(table) do
if string.lower(v) == string.lower(value) then
return true
end
end
return false
end
function ip_is_include(value, tab)
for k,v in ipairs(tab) do
if string.find(value, v) ~= nil then
return true
end
end
return false
end
local function newClient()
local httpC = http.new()
return httpC
end
local handler = function (premature)
local httpc = newClient()
local resp,err = httpc:request_uri("http://xx.xx.xx.xx:xxxx", {
method = "GET",
path = "/xxx/xxx",
headers = {
["VM_HEADER"] = "xxx"
}
})
local array = json.encode(json.decode(resp.body).data)
portalCache:set("userAccountList", array)
end
--nginx启动时先调用一次
if portalCache:get("flag") then
portalCache:set("flag", false)
handler()
end
check_userAccount = portalCache:get("userAccountList")
check_ip = json.decode(portalCache:get("ipList"))
if nil == check_userAccount or nil == check_ip then
return ngx.exit(500)
end
local headers = ngx.req.get_headers()
local userAccount = headers["userAccount"]
if userAccount == nil then
return ngx.exit(401)
end
if account_is_include(userAccount, check_userAccount) then
local clientIP = headers["x-forwarded-for"]
if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
clientIP = headers["Proxy-Client-IP"]
end
if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
clientIP = headers["WL-Proxy-Client-IP"]
end
if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
clientIP = ngx.var.remote_addr
end
-- ...............IP......IP,..IP..','..
if clientIP ~= nil and string.len(clientIP) >15 then
local pos = string.find(clientIP, ",", 1)
clientIP = string.sub(clientIP,1,pos-1)
end
if clientIP == nil then
return ngx.exit(500)
end
if ip_is_include(clientIP, check_ip) then
return ngx.say(userAccount .. " " .. "Welcome to Hportal! (VM-IP:" .. clientIP ..")")
else
ngx.status = 403
ngx.say("Error! Restricted permissions! Your IP is " .. clientIP .. ". Make sure your IP is within this range: " .. json.encode(check_ip))
end
else
ngx.say(userAccount .. " " .. "Welcome to Hportal!")
end
最后实现效果如下所示:
常见问题汇总:
1.init_worker_by_lua_file error: /usr/local/openresty/lualib/resty/http.lua:133: API disabled in the context of init_worker_by_lua*
stack traceback:
[C]: in function 'ngx_socket_tcp'
/usr/local/openresty/lualib/resty/http.lua:133: in function 'new'
/home/www/example/lua/api_timer.lua:6: in function 'newClient'
/home/www/example/lua/api_timer.lua:21: in function 'getUserAccountTask'
/home/www/example/lua/api_timer.lua:35: in main chunk
答:在init_worker_by_lua...中不能直接调报表http的函数,必须在定时器里面调用。
2.json.decode(resp.body).data (table类型)无法直接放入公共缓存变量的value中
答:set时需要将table转为string,get时再转为table。
3. 如何访问http接口
答:推荐使用httpc,openresty本身不支持,需要在/usr/local/openresty/lualib/resty目录下引入以下三个文件:https://github.com/ledgetech/lua-resty-http/tree/master/lib/resty
4.如何获取请求真实ip地址?
local headers=ngx.req.get_headers()
local clientIP = headers["x-forwarded-for"]
if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
clientIP = headers["Proxy-Client-IP"]
end
if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
clientIP = headers["WL-Proxy-Client-IP"]
end
if clientIP == nil or string.len(clientIP) == 0 or clientIP == "unknown" then
clientIP = ngx.var.remote_addr
end
-- 对于通过多个代理的情况,第一个IP为客户端真实IP,多个IP按照','分割
if clientIP ~= nil and string.len(clientIP) >15 then
local pos = string.find(clientIP, ",", 1)
clientIP = string.sub(clientIP,1,pos-1)
end到此这篇关于nginx+lua(openresty)实现黑/白名单权限控制的示例的文章就介绍到这了,更多相关nginx 黑/白名单权限控制内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!