ARM环境编译Openresty,并通过lua脚本鉴权文件服务

于 2025-02-20 11:18:50 发布
阅读量461 收藏 7
点赞数 4
文章标签: arm开发 openresty lua
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_24585103/article/details/145748400
版权

制作Openresty镜像

下载Dockerfile

git地址:https://github.com/openresty/docker-openresty/tree/1.27.1.1-1/alpine
需要把Dockerfile、nginx.conf、nginx.vh.default.conf下载下来

修改Dockerfile

# Dockerfile - alpine
# https://github.com/openresty/docker-openresty
# 这儿修改成自己的alpine arm镜像
# 可从docker hub上拉取
# docker pull alpine:3.21@sha256:757d680068d77be46fd1ea20fb21db16f150468c5e7079a08a2e4705aec096ac
# 推送到自己的docker仓库
ARG RESTY_IMAGE_BASE="alpine"
ARG RESTY_IMAGE_TAG="3.21"

FROM ${RESTY_IMAGE_BASE}:${RESTY_IMAGE_TAG}

LABEL maintainer="Eugene <925718725@qq.com>"

# Docker Build Arguments
# 这儿同上
ARG RESTY_IMAGE_BASE="alpine"
ARG RESTY_IMAGE_TAG="3.21"
ARG RESTY_VERSION="1.27.1.1"

# https://github.com/openresty/openresty-packaging/blob/master/alpine/openresty-openssl3/APKBUILD
ARG RESTY_OPENSSL_VERSION="3.0.15"
ARG RESTY_OPENSSL_PATCH_VERSION="3.0.15"
# 这儿如果是内网安装可下载下来上传到本地的文件服务中,如果没有文件服务则看下面,直接把文件下载后拷贝到容器中
#ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
ARG RESTY_OPENSSL_URL_BASE="https://xxx.cn/group1/M00/4A/73/FDCYBWe1RdWAAazPAOm-abGvJDc8291.gz?filename=openssl-3.0.15.tar.gz"
# LEGACY:  "https://www.openssl.org/source/old/1.1.1"
ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 \
        enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-md2 enable-ktls enable-fips \
        "

# https://github.com/openresty/openresty-packaging/blob/master/alpine/openresty-pcre2/APKBUILD
ARG RESTY_PCRE_VERSION="10.44"
ARG RESTY_PCRE_SHA256="86b9cb0aa3bcb7994faa88018292bc704cdbb708e785f7c74352ff6ea7d3175b"
ARG RESTY_PCRE_BUILD_OPTIONS="--enable-jit --enable-pcre2grep-jit --disable-bsr-anycrlf --disable-coverage --disable-ebcdic --disable-fuzz-support \
    --disable-jit-sealloc --disable-never-backslash-C --enable-newline-is-lf --enable-pcre2-8 --enable-pcre2-16 --enable-pcre2-32 \
    --enable-pcre2grep-callout --enable-pcre2grep-callout-fork --disable-pcre2grep-libbz2 --disable-pcre2grep-libz --disable-pcre2test-libedit \
    --enable-percent-zt --disable-rebuild-chartables --enable-shared --disable-static --disable-silent-rules --enable-unicode --disable-valgrind \
    "
# 根据自己的机器来定义
ARG RESTY_J="4"

# https://github.com/openresty/openresty-packaging/blob/master/alpine/openresty/APKBUILD
# 可禁用或启用nginx的组件
ARG RESTY_CONFIG_OPTIONS="\
    --with-compat \
    --without-mail_pop3_module \
    --without-mail_imap_module \
    --without-mail_smtp_module \
    --with-http_addition_module \
    --with-http_auth_request_module \
    --with-http_dav_module \
    --with-http_flv_module \
    --with-http_geoip_module=dynamic \
    --with-http_gunzip_module \
    --with-http_gzip_static_module \
    --with-http_image_filter_module=dynamic \
    --with-http_mp4_module \
    --with-http_random_index_module \
    --with-http_realip_module \
    --with-http_secure_link_module \
    --with-http_slice_module \
    --with-http_ssl_module \
    --with-http_stub_status_module \
    --with-http_sub_module \
    --with-http_v2_module \
    --with-http_v3_module \
    --with-http_xslt_module=dynamic \
    --with-ipv6 \
    --with-mail \
    --with-mail_ssl_module \
    --with-md5-asm \
    --with-sha1-asm \
    --with-stream \
    --with-stream_ssl_module \
    --with-stream_ssl_preread_module \
    --with-threads \
    "
ARG RESTY_CONFIG_OPTIONS_MORE=""
ARG RESTY_LUAJIT_OPTIONS="--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT'"
ARG RESTY_PCRE_OPTIONS="--with-pcre-jit"

ARG RESTY_ADD_PACKAGE_BUILDDEPS=""
ARG RESTY_ADD_PACKAGE_RUNDEPS=""
ARG RESTY_EVAL_PRE_CONFIGURE=""
ARG RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE=""
ARG RESTY_EVAL_POST_MAKE=""

# These are not intended to be user-specified
ARG _RESTY_CONFIG_DEPS="--with-pcre \
    --with-cc-opt='-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/pcre2/include -I/usr/local/openresty/openssl3/include' \
    --with-ld-opt='-L/usr/local/openresty/pcre2/lib -L/usr/local/openresty/openssl3/lib -Wl,-rpath,/usr/local/openresty/pcre2/lib:/usr/local/openresty/openssl3/lib' \
    "

LABEL resty_image_base="${RESTY_IMAGE_BASE}"
LABEL resty_image_tag="${RESTY_IMAGE_TAG}"
LABEL resty_version="${RESTY_VERSION}"
LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}"
LABEL resty_openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}"
LABEL resty_openssl_url_base="${RESTY_OPENSSL_URL_BASE}"
LABEL resty_openssl_build_options="${RESTY_OPENSSL_BUILD_OPTIONS}"
LABEL resty_pcre_version="${RESTY_PCRE_VERSION}"
LABEL resty_pcre_build_options="${RESTY_PCRE_BUILD_OPTIONS}"
LABEL resty_pcre_sha256="${RESTY_PCRE_SHA256}"
LABEL resty_config_options="${RESTY_CONFIG_OPTIONS}"
LABEL resty_config_options_more="${RESTY_CONFIG_OPTIONS_MORE}"
LABEL resty_config_deps="${_RESTY_CONFIG_DEPS}"
LABEL resty_add_package_builddeps="${RESTY_ADD_PACKAGE_BUILDDEPS}"
LABEL resty_add_package_rundeps="${RESTY_ADD_PACKAGE_RUNDEPS}"
LABEL resty_eval_pre_configure="${RESTY_EVAL_PRE_CONFIGURE}"
LABEL resty_eval_post_download_pre_configure="${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}"
LABEL resty_eval_post_make="${RESTY_EVAL_POST_MAKE}"
LABEL resty_luajit_options="${RESTY_LUAJIT_OPTIONS}"
LABEL resty_pcre_options="${RESTY_PCRE_OPTIONS}"

# 这儿拷贝一些需要用到的文件到容器内,如果没有文件服务,也可从这儿直接下载拷贝到容器中
COPY hosts /etc/hosts
COPY openresty-1.27.1.1.tar.gz /openresty-1.27.1.1.tar.gz
COPY openssl-3.0.15.tar.gz /openssl-3.0.15.tar.gz
COPY pcre2-10.44.tar.gz /pcre2-10.44.tar.gz


RUN apk add --no-cache --virtual .build-deps \
        build-base \
        coreutils \
        curl \
        gd-dev \
        geoip-dev \
        libxslt-dev \
        linux-headers \
        make \
        perl-dev \
        readline-dev \
        zlib-dev \
        ${RESTY_ADD_PACKAGE_BUILDDEPS} \
    && apk add --no-cache \
        gd \
        geoip \
        libgcc \
        libxslt \
        tzdata \
        zlib \
        ${RESTY_ADD_PACKAGE_RUNDEPS} \
    && cd /tmp \
    && if [ -n "${RESTY_EVAL_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_PRE_CONFIGURE}); fi \
    && cd /tmp \
    # 没有文件服务则使用下面的把文件拷贝到/tmp中
    #&& curl -fSL "${RESTY_OPENSSL_URL_BASE}" -o openssl-${RESTY_OPENSSL_VERSION}.tar.gz \
    && mv /openssl-${RESTY_OPENSSL_VERSION}.tar.gz  /tmp/openssl-${RESTY_OPENSSL_VERSION}.tar.gz \
    && tar xzf openssl-${RESTY_OPENSSL_VERSION}.tar.gz \
    && cd openssl-${RESTY_OPENSSL_VERSION} \
    && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "3.0.15" ] ; then \
        echo 'patching OpenSSL 3.0.15 for OpenResty' \
        # 这儿使用了国内代理加速,前面加上https://hub.gitmirror.com/
        && curl -s         https://hub.gitmirror.com/https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \
    fi \
    && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.1" ] ; then \
        echo 'patching OpenSSL 1.1.1 for OpenResty' \
        # 这儿使用了国内代理加速,前面加上https://hub.gitmirror.com/
        && curl -s https://hub.gitmirror.com/https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \
    fi \
    && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.0" ] ; then \
        echo 'patching OpenSSL 1.1.0 for OpenResty' \
        # 这儿使用了国内代理加速,前面加上https://hub.gitmirror.com/
        && curl -s https://hub.gitmirror.com/https://raw.githubusercontent.com/openresty/openresty/ed328977028c3ec3033bc25873ee360056e247cd/patches/openssl-1.1.0j-parallel_build_fix.patch | patch -p1 \
        # 这儿使用了国内代理加速,前面加上https://hub.gitmirror.com/
        && curl -s https://hub.gitmirror.com/https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \
    fi \
    && ./config \
      shared zlib -g \
      --prefix=/usr/local/openresty/openssl3 \
      --libdir=lib \
      -Wl,-rpath,/usr/local/openresty/openssl3/lib \
      ${RESTY_OPENSSL_BUILD_OPTIONS} \
    && make -j${RESTY_J} \
    && make -j${RESTY_J} install_sw \
    && cd /tmp \
    # 没有文件服务则使用下面的把文件拷贝到/tmp中
    #&& curl -fSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${RESTY_PCRE_VERSION}/pcre2-${RESTY_PCRE_VERSION}.tar.gz" -o pcre2-${RESTY_PCRE_VERSION}.tar.gz \
    #&& curl -fSL "https://xxx.cn/group1/M00/4A/73/FDCYBWe1RkyAFxyPACbz2DejUDQ2905.gz?filename=pcre2-10.44.tar.gz" -o pcre2-${RESTY_PCRE_VERSION}.tar.gz \
    && mv /pcre2-${RESTY_PCRE_VERSION}.tar.gz /tmp/pcre2-${RESTY_PCRE_VERSION}.tar.gz \
    && echo "${RESTY_PCRE_SHA256}  pcre2-${RESTY_PCRE_VERSION}.tar.gz" | shasum -a 256 --check \
    && tar xzf pcre2-${RESTY_PCRE_VERSION}.tar.gz \
    && cd /tmp/pcre2-${RESTY_PCRE_VERSION} \
    && CFLAGS="-g -O3" ./configure \
        --prefix=/usr/local/openresty/pcre2 \
        --libdir=/usr/local/openresty/pcre2/lib \
        ${RESTY_PCRE_BUILD_OPTIONS} \
    && CFLAGS="-g -O3" make -j${RESTY_J} \
    && CFLAGS="-g -O3" make -j${RESTY_J} install \
    && cd /tmp \
    # 没有文件服务则使用下面的把文件拷贝到/tmp中
    #&& curl -fSL https://openresty.org/download/openresty-${RESTY_VERSION}.tar.gz -o openresty-${RESTY_VERSION}.tar.gz \
    #&& curl -fSL https://xxx.cn/group1/M00/4A/73/FDCYBWe1SgyAF70MAFrqvT8TigE1077.gz?filename=openresty-1.27.1.1.tar.gz -o openresty-${RESTY_VERSION}.tar.gz \
    && mv /openresty-${RESTY_VERSION}.tar.gz /tmp/openresty-${RESTY_VERSION}.tar.gz \
    && tar xzf openresty-${RESTY_VERSION}.tar.gz \
    && cd /tmp/openresty-${RESTY_VERSION} \
    && if [ -n "${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}); fi \
    && eval ./configure -j${RESTY_J} ${_RESTY_CONFIG_DEPS} ${RESTY_CONFIG_OPTIONS} ${RESTY_CONFIG_OPTIONS_MORE} ${RESTY_LUAJIT_OPTIONS} ${RESTY_PCRE_OPTIONS} \
    && make -j${RESTY_J} \
    && make -j${RESTY_J} install \
    && cd /tmp \
    && if [ -n "${RESTY_EVAL_POST_MAKE}" ]; then eval $(echo ${RESTY_EVAL_POST_MAKE}); fi \
    && rm -rf \
        openssl-${RESTY_OPENSSL_VERSION}.tar.gz openssl-${RESTY_OPENSSL_VERSION} \
        pcre2-${RESTY_PCRE_VERSION}.tar.gz pcre2-${RESTY_PCRE_VERSION} \
        openresty-${RESTY_VERSION}.tar.gz openresty-${RESTY_VERSION} \
    && apk del .build-deps \
    && mkdir -p /var/run/openresty \
    && ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log \
    && ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log

# Add additional binaries into PATH for convenience
ENV PATH=$PATH:/usr/local/openresty/luajit/bin:/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin

# Copy nginx configuration files
COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf

CMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"]

# Use SIGQUIT instead of default SIGTERM to cleanly drain requests
# See https://github.com/openresty/docker-openresty/blob/master/README.md#tips--pitfalls
STOPSIGNAL SIGQUIT

制作openresty镜像

docker build -t openresty:alpine-aarch64-eugene .

鉴权

运行openresty

docker run --privileged -u root -d --name openresty  --restart=always --network=host   -v /data/openresty/conf:/usr/local/openresty/nginx/conf  -v /data/openresty/logs:/usr/local/openresty/nginx/logs -v /data/openresty/ssl:/usr/local/openresty/nginx/ssl  -v /usr/local/openresty/nginx/html  -v /data/openresty/lua:/usr/local/openresty/nginx/lua -v /etc/localtime:/etc/localtime openresty:alpine-aarch64-eugene

编写lua脚本

nginx-jwt.lua

-- nginx-jwt.lua


local cjson = require "cjson"
local jwt = require "resty.jwt"

--your secret
local public_key = [[
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpsshjCcEKvc+J3HQcO2
i+cu8blV6T9Lh8YhKGuYOevu3Tqj/Yc9G2UrxC/xFLmj5zYAYtKfy1KB7lGhpZRM
47GnPm/RoP4ozXaaFxjDCmqM+Y345eeusQtbbPXvUHCVLMSTgpEBYI9T5Atg90bm
5uBZgDSsn2rXoJCijsuqXUoE3Glmt/SacVY7yNigG9X+e1zd/C/nveBQdI+QY5A4
fyXCJcw1sdLe+nc27Sh86PtX8J4s3+mG4ElQkwHzMSTE4cf8ffRR/jwrFT+NVUii
gavJG/mF4v8XU8yN1LvoSnak8lc+LS6nHmnI1vSZdYKD3u9i3RAW5lTIpCCrsf7G
yQIDAQAB
-----END PUBLIC KEY-----
]]
--无需鉴权api清单
local no_need_token_api_list = {'/api/register', '/api/login'}
local no_need_ip = {'127.0.0.1'}

local function ignore_url (val)
    for index, value in ipairs(no_need_token_api_list) do
        if (value == val) then
            return true
        end
    end

    return false
end

local function ignore_ip (val)
    for index,value in ipairs(no_need_ip) do
	if(value == val) then
	   return true
        end
    end
    return false
end

local M = {}


function M.auth()

    if ignore_url(ngx.var.request_uri) then
        return
    else
    end
    if ignore_ip(ngx.var.remote_addr) then
	return
    else
    end
	
    -- require Authorization request header
    local auth_header = ngx.var.http_Authorization
    local headers = ngx.req.get_headers()
    local reqUri = ngx.var.request_uri
    local reqList = {}
    string.gsub(reqUri,'[^/]+',function (w)
	table.insert(reqList,w)	
    end)
    local urlSiteId = reqList[2]

    if headers["xtenant"] == nil then
	ngx.log(ngx.WARN, "No xtenant header")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
    if urlSiteId ~= headers["xtenant"]  then
        ngx.log(ngx.WARN, "No Authorization header")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    if auth_header == nil then
        ngx.log(ngx.WARN, "No Authorization header")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    -- require Bearer token
    local _, _, token = string.find(auth_header, "Bearer%s+(.+)")

    if token == nil then
        ngx.log(ngx.ERR, "Missing token")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    --jwt:set_alg_whitelist({ RS256 = 1 })
    local jwt_obj = jwt:verify(public_key,token)
    
    if ""..jwt_obj.payload.site_id ~= ""..headers["xtenant"] then
        ngx.log(ngx.ERR, "No Authorization header"..jwt_obj.payload.site_id)
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    local httpc = require("resty.http").new()
    -- 改成自己的鉴权接口
    local res, err = httpc:request_uri("https://xxx.cn/gateway/service/api/v1/file/auth", {
        ssl_verify = ssl_verify or false,
        method = "GET",
        headers = {
            ["Authorization"] = "Bearer "..token,
        },
    })
    if  not res then
        ngx.log(ngx.ERR, "request failed: "..err)
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
        return
    end
    if res.body ~= "true" then
        ngx.log(ngx.ERR, "Invalid token2: ".. res.body)
        ngx.status = ngx.HTTP_UNAUTHORIZED
        ngx.say("Invalid token22: ".. res.body)
        ngx.header.content_type = "application/json; charset=utf-8"
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end 
    

end

return M

nginx-jwt-src.lua

-- nginx-jwt.lua


local cjson = require "cjson"
local jwt = require "resty.jwt"
local redis = require "resty.redis"
--your secret
local public_key = [[
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpsshjCcEKvc+J3HQcO2
i+cu8blV6T9Lh8YhKGuYOevu3Tqj/Yc9G2UrxC/xFLmj5zYAYtKfy1KB7lGhpZRM
47GnPm/RoP4ozXaaFxjDCmqM+Y345eeusQtbbPXvUHCVLMSTgpEBYI9T5Atg90bm
5uBZgDSsn2rXoJCijsuqXUoE3Glmt/SacVY7yNigG9X+e1zd/C/nveBQdI+QY5A4
fyXCJcw1sdLe+nc27Sh86PtX8J4s3+mG4ElQkwHzMSTE4cf8ffRR/jwrFT+NVUii
gavJG/mF4v8XU8yN1LvoSnak8lc+LS6nHmnI1vSZdYKD3u9i3RAW5lTIpCCrsf7G
yQIDAQAB
-----END PUBLIC KEY-----
]]
--无需鉴权api清单
local no_need_token_api_list = {'/api/register', '/api/login',}

local function ignore_url (val)
    for index, value in ipairs(no_need_token_api_list) do
        if (value == val) then
            return true
        end
    end
    if (string.sub(val,1,17)=="/group1/100/medal") then
	return true
    end

    return false
end

local M = {}


function M.auth()

    if ignore_url(ngx.var.request_uri) then
        return
    else
    end
	
    -- require Authorization request header
    local auth_header = ngx.var.http_Authorization
    local headers = ngx.req.get_headers()
    local reqUri = ngx.var.request_uri
    local reqArgs = ngx.req.get_uri_args()
    local reqList = {}
    string.gsub(reqUri,'[^/]+',function (w)
	table.insert(reqList,w)	
    end)
    local urlSiteId = reqList[2]
    local red = redis:new() 
    -- 自己的redis
    local redisok,err = red:connect("127.0.0.1",6379)
    if not redisok then
    	ngx.log(ngx.ERR,"redis Cannot connect, host: ")
    	--return nil, err
    end
    red:auth("Qwer1234")
    local acckey = ngx.var.arg_accessKey
    if acckey == nil then
        ngx.log(ngx.ERR, "Missing acckey error: ")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
    local redisToken,rediserror = red:get(acckey)
    if not redisToken or type(redisToken) == "userdata" then
        ngx.log(ngx.ERR, "redis error: ")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
    local token = redisToken

    local jwt_obj = jwt:verify(public_key,token)
   
    if ""..jwt_obj.payload.client_id == "platform-manage" then
         return
    end

 
    if ""..jwt_obj.payload.site_id ~= urlSiteId then
        
        ngx.log(ngx.ERR, "No Authorization header"..jwt_obj.payload.site_id)
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    local httpc = require("resty.http").new()
    -- 改成自己的鉴权接口
    local res, err = httpc:request_uri("https://xxx.cn/gateway/service/api/v1/file/auth", {
        ssl_verify = ssl_verify or false,
        method = "GET",
        headers = {
            ["Authorization"] = "Bearer "..token,
        },
    })
    if  not res then
        ngx.log(ngx.ERR, "request failed: "..err)
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
        return
    end
    if res.body ~= "true" then
        ngx.log(ngx.ERR, "Invalid token2: ".. res.body)
        ngx.status = ngx.HTTP_UNAUTHORIZED
        ngx.say("Invalid token22: ".. res.body)
        ngx.header.content_type = "application/json; charset=utf-8"
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end 
    

end

return M

nginx-upload-auth.lua

-- nginx-jwt.lua


local cjson = require "cjson"
local jwt = require "resty.jwt"

--your secret
local public_key = [[
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpsshjCcEKvc+J3HQcO2
i+cu8blV6T9Lh8YhKGuYOevu3Tqj/Yc9G2UrxC/xFLmj5zYAYtKfy1KB7lGhpZRM
47GnPm/RoP4ozXaaFxjDCmqM+Y345eeusQtbbPXvUHCVLMSTgpEBYI9T5Atg90bm
5uBZgDSsn2rXoJCijsuqXUoE3Glmt/SacVY7yNigG9X+e1zd/C/nveBQdI+QY5A4
fyXCJcw1sdLe+nc27Sh86PtX8J4s3+mG4ElQkwHzMSTE4cf8ffRR/jwrFT+NVUii
gavJG/mF4v8XU8yN1LvoSnak8lc+LS6nHmnI1vSZdYKD3u9i3RAW5lTIpCCrsf7G
yQIDAQAB
-----END PUBLIC KEY-----
]]
--无需鉴权api清单
local no_need_token_api_list = {'/api/register', '/api/login'}

local function ignore_url (val)
    for index, value in ipairs(no_need_token_api_list) do
        if (value == val) then
            return true
        end
    end

    return false
end

local M = {}


function M.auth()

    if ignore_url(ngx.var.request_uri) then
        return
    else
    end
	
    -- require Authorization request header
    local auth_header = ngx.var.http_Authorization
    local headers = ngx.req.get_headers()
    local reqUri = ngx.var.request_uri
    local reqList = {}
    string.gsub(reqUri,'[^/]+',function (w)
	table.insert(reqList,w)	
    end)
    local urlSiteId = reqList[2]

    if headers["xtenant"] == nil then
	ngx.log(ngx.WARN, "No xtenant header")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    if auth_header == nil then
        ngx.log(ngx.WARN, "No Authorization header")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    -- require Bearer token
    local _, _, token = string.find(auth_header, "Bearer%s+(.+)")

    if token == nil then
        ngx.log(ngx.ERR, "Missing token")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    --jwt:set_alg_whitelist({ RS256 = 1 })
    local jwt_obj = jwt:verify(public_key,token)

    if ""..jwt_obj.payload.client_id == "platform-manage" then
        return;
    end

   
    if ""..jwt_obj.payload.site_id ~= ""..headers["xtenant"] then
	ngx.log(ngx.ERR, "No Authorization header"..jwt_obj.payload.site_id)
        ngx.say("Invalid token: ".. cjson.encode(jwt_obj).."headSiteId:"..headers["xtenant"].."tokenSiteId:"..jwt_obj.payload.site_id)
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end      

    local httpc = require("resty.http").new()
    -- 改成自己的鉴权接口
    local res, err = httpc:request_uri("https://xxx.cn/gateway/service/api/v1/file/auth", {
        ssl_verify = ssl_verify or false,
	method = "GET",
        headers = {
            ["Authorization"] = "Bearer "..token,
        },
    })
    if  not res then
        ngx.log(ngx.ERR, "request failed: "..err)
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
        return
    end
    if res.body ~= "true" then
        ngx.log(ngx.ERR, "Invalid token2: ".. res.body)
        ngx.status = ngx.HTTP_UNAUTHORIZED
        ngx.say("Invalid token22: ".. res.body)
        ngx.header.content_type = "application/json; charset=utf-8"
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end 
     
end

return M

下载lua插件并安装

下载 lua-resty-jwt 、 lua-resty-hmac 、lua-resty-http插件:
lua-resty-jwt: https://github.com/SkyLothar/lua-resty-jwt
lua-resty-hmac: https://github.com/jkeys089/lua-resty-hmac
lua-resty-http:https://github.com/ledgetech/lua-resty-http
拷贝三个插件的 lib/resty 下的文件拷贝到一个文件夹中
找到 evp.lua,进入 evp.lua 文件,将 EVP_MD_CTX_create () 全部替换为 EVP_MD_CTX_new,将 EVP_MD_CTX_destroy 全部替换为 EVP_MD_CTX_free

注意:报错module ‘resty.http‘ not found是因为没有lua-resty-http插件
报这个错是因为上面这个函数名没有替换

evp.lua:216: dlsym(RTLD_DEFAULT, EVP_MD_CTX_create): symbol not found

进入容器

docker exec -it openresty bash

创建文件夹

mkdir -p /usr/local/openresty/lualib-extend/resty

然后把刚刚的插件和之前写的lua脚本拷贝到容器中,结构如下
在这里插入图片描述

配置nginx

nginx.conf

# nginx.conf  --  docker-openresty
#
# This file is installed to:
#   `/usr/local/openresty/nginx/conf/nginx.conf`
# and is the file loaded by nginx at startup,
# unless the user specifies otherwise.
#
# It tracks the upstream OpenResty's `nginx.conf`, but removes the `server`
# section and adds this directive:
#     `include /etc/nginx/conf.d/*.conf;`
#
# The `docker-openresty` file `nginx.vh.default.conf` is copied to
# `/etc/nginx/conf.d/default.conf`.  It contains the `server section
# of the upstream `nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#

#user  nobody;
#worker_processes 1;

# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;
events {
    worker_connections  65535;
}
http {
 limit_req_zone $binary_remote_addr zone=allips:10m rate=20r/s;
  #注意在这儿配置的是刚刚插件的路径
  lua_package_path "usr/local/openresty/lualib-extend/?.lua;;";
    #include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
        access_log  /usr/local/openresty/nginx/logs/access.log  main;
        error_log  /usr/local/openresty/nginx/logs/error.log  error;
        sendfile        on;
        server_tokens off;
        keepalive_timeout  600s;
        client_header_timeout 600s;
        client_body_timeout 600s;
        send_timeout 600s;
        client_max_body_size 1024m;
       #指定nginx与后端fastcgi server连接超时时间
       fastcgi_connect_timeout 600s;
       #指定nginx向后端传送请求超时时间(指已完成两次握手后向fastcgi传送请求超时时间)
       fastcgi_send_timeout 600s;
       #指定nginx向后端传送响应超时时间(指已完成两次握手后向fastcgi传送响应超时时间)
       fastcgi_read_timeout 600s;

        proxy_redirect ~/big/upload/(.*) /big/upload/$1;  #继点续传一定要设置(注意)


    # Enables or disables the use of underscores in client request header fields.
    # When the use of underscores is disabled, request header fields whose names contain underscores are marked as invalid and become subject to the ignore_invalid_headers directive.
    # underscores_in_headers off;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

        # Log in JSON Format
        # log_format nginxlog_json escape=json '{ "timestamp": "$time_iso8601", '
        # '"remote_addr": "$remote_addr", '
        #  '"body_bytes_sent": $body_bytes_sent, '
        #  '"request_time": $request_time, '
        #  '"response_status": $status, '
        #  '"request": "$request", '
        #  '"request_method": "$request_method", '
        #  '"host": "$host",'
        #  '"upstream_addr": "$upstream_addr",'
        #  '"http_x_forwarded_for": "$http_x_forwarded_for",'
        #  '"http_referrer": "$http_referer", '
        #  '"http_user_agent": "$http_user_agent", '
        #  '"http_version": "$server_protocol", '
        #  '"nginx_access": true }';
        # access_log /dev/stdout nginxlog_json;

    # See Move default writable paths to a dedicated directory (#119)
    # https://github.com/openresty/docker-openresty/issues/119
    client_body_temp_path /var/run/openresty/nginx-client-body;
    proxy_temp_path       /var/run/openresty/nginx-proxy;
    fastcgi_temp_path     /var/run/openresty/nginx-fastcgi;
    uwsgi_temp_path       /var/run/openresty/nginx-uwsgi;
    scgi_temp_path        /var/run/openresty/nginx-scgi;

    #sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    #keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
    include /usr/local/openresty/nginx/conf/conf.d/*.conf;

    # Don't reveal OpenResty version to clients.
    # server_tokens off;
}

include /etc/nginx/conf.d/*.main;

conf/conf.d/file.conf


  upstream file
  {
    server 127.0.0.1:8080;
    ip_hash;
  }
  
  access_log /usr/local/openresty/nginx/logs/nginx_access.log;
  error_log /usr/local/openresty/nginx/logs/nginx_error.log;
  resolver 114.114.114.114;
  server
  {
    listen 80;
    listen 443 ssl ;
    server_name  xxx.cn;
    ssl_certificate      /usr/local/openresty/nginx/ssl/xxx.cn.pem;
    ssl_certificate_key  /usr/local/openresty/nginx/ssl/xxx.cn.key;
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_protocols    TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
    ssl_prefer_server_ciphers on;

    client_header_buffer_size 16k;
    large_client_header_buffers 4 16k;
    #proxy_ssl_session_reuse off;

    location /group1 {
      #ssl_preread on;
      limit_req zone=allips burst=5 nodelay;
      add_header Access-Control-Expose-Headers Content-Disposition;
      add_header Cache-Control max-age=360000;
      if ($request_method = 'OPTIONS') {
      add_header Access-Control-Allow-Origin * always;
      add_header Access-Control-Allow-Headers "access_token, Content-Type, X-Client-Id, Authorization, X-Domain, xtenant, clientid" always;
      add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, PATCH, DELETE, HEAD" always;
      add_header Access-Control-Max-Age 86400 always; 
      	return 204;
      }
      ## 这儿就可以使用lua脚本进行鉴权了。
       access_by_lua_block {
        local obj = require('nginx-jwt')
        obj.auth()
      }
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      #proxy_ssl_session_reuse off;
      #proxy_ssl_server_name off;
      proxy_pass http://file;
    }
   location ~*\.(doc|docx|xls|xlsx|ppt|pptx|pdf)$ {
      add_header Access-Control-Expose-Headers "Content-Disposition";
      if ($arg_accesskey != "") {
           access_by_lua_block {
                local obj = require('nginx-jwt-src')
                obj.auth()
           }
      }
      if ($arg_accesskey = "") {
           access_by_lua_block
           {
                local obj = require('nginx-jwt')
                obj.auth()
           }
      }

      if ($request_method = 'OPTIONS') {
        add_header Access-Control-Allow-Origin * always;
        add_header Access-Control-Allow-Headers "access_token, Content-Type, X-Client-Id, Authorization, X-Domain, xtenant, clientid" always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, PATCH, DELETE, HEAD" always;
        add_header Access-Control-Max-Age 86400 always;
                return 204;
      }
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      #proxy_ssl_session_reuse off;
      #proxy_ssl_server_name off;
      proxy_pass http://file;

    }

    location ~*\.(apk|jpg|png|gif|jpeg|heic)$ {
      access_by_lua_block {
        local obj = require('nginx-jwt-src')
        obj.auth()
      }

      if ($request_method = 'OPTIONS') {
	add_header Access-Control-Allow-Origin * always;
        add_header Access-Control-Allow-Headers "access_token, Content-Type, X-Client-Id, Authorization, X-Domain, xtenant, clientid" always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, PATCH, DELETE, HEAD" always;
        add_header Access-Control-Max-Age 86400 always;
                return 204;
      }
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://file;
    }
    location ~*\.(mp3|mp4)$ {
      limit_req zone=allips burst=5 nodelay;
      add_header Access-Control-Allow-Origin * always;
      add_header Access-Control-Allow-Headers "access_token, Content-Type, X-Client-Id, Authorization, X-Domain, xtenant, clientid" always;
      add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, PATCH, DELETE, HEAD" always;
      add_header Access-Control-Max-Age 86400 always;
      limit_rate_after 20m;
      limit_rate 100k;
      access_by_lua_block {
        local obj = require('nginx-jwt-src')
        obj.auth()
      }
      if ($request_method = 'OPTIONS') {
                return 204;
      }
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://file;
    }
  }

重启openresty

文件服务

Eugene Jou
关注
nginx + lua 环境搭建+创建项目;openresty搭建+创建项目
jiaoshenmo的博客
04-27 2235
某位大虾说过,天下武功,唯快不破!Nginx的看家本领就是速度,Lua的拿手好戏亦是速度,这两者的结合在速度上无疑有基因上的优势。话不多说,进入话题。 准备需要的压缩包解压好: nginx-1.9.7【nginx源码】 lua-nginx-module-master【配置nginx,让其支持luaLuaJIT-2.0.2【lua即时编译器】 ngx_devel_kit-0.2.18【n
arm编译lua
txk15619567977的专栏
05-20 405
arm编译lua
ARM Linux 安装部署OpenResty
AlphaTao的博客
04-02 1401
参考:https://blog.openresty.com/en/openresty-pre-build-for-aarch64-arm64/?src=org_news 备忘 1. Ubuntu 18.04/20.04 #1. 添加APT仓库 echo "deb http://openresty.org/package/arm64/ubuntu $(lsb_release -sc) main" \ | sudo tee /etc/apt/sources.list.d/openresty.list
Nvidia Xavier(ARM64)上安装openresty
Robin's Home
07-10 1183
OpenResty官方提供了大多数Linux发行版的预编译的包,所以安装非常简单,可以直接参考http://openresty.org/cn/installation.html 进行安装。但是官方的二进制包只支持X86_64 和AMD64 的CPU,如果需要在ARM CPU上安装openresty就需要从源码开始安装了。 这里介绍在Nvidia的Jetson Xavier 套件上安装openrety的方法, 使用的操作系统为ubuntu18.04。
安装OpenResty
博客包含书籍、B站、其他博主博客等内容,只为了记录笔记,作业,问题,软件配置等,为了以后方便查阅,如有侵权,请联系删除
06-08 1139
首先你的Linux虚拟机必须联网你可以在你的 CentOS 系统中添加openresty仓库,这样就可以便于未来安装或更新我们的软件包(通过命令)。然后再重复上面的命令然后就可以像下面这样安装软件包,比如openrestyopm是OpenResty的一个管理工具,可以帮助我们安装一个第三方的Lua模块。如果你想安装命令行工具opm,那么可以像下面这样安装默认情况下,OpenResty安装的目录是:/usr/local/openresty
使用Termux配置Openresty
最新发布
weixin_53785134的博客
10-19 579
安装LuaJit、nginx,添加openresty
openresty-1.25.3.1源码
02-07
OpenResty 是一个基于 Nginx 的高性能、全功能的 Web 应用服务器和开发平台,它集成了 LuaJIT 脚本语言,允许开发者在 Nginx 的配置文件中直接编写 Lua 脚本来实现复杂的业务逻辑。本次我们关注的是 OpenResty 的...
OpenResty 概要及原理
Mono的博客
02-01 577
OpenResty® 是一个基于 Nginx 与 Lua 的高性能 Web 平台,其内部集成了大量精良的 Lua 库、第三方模块以及大多数的依赖项。用于方便地搭建能够处理超高发、扩展性极高的动态 Web 应用、Web 服务和动态网关。OpenResty 官网地址:https://openresty.org/cn/。 OpenResty主要包含两方面的技术: Nginx: 一个免费的、开源的、高性能的 HTTP 服务器和反向代理,也是一个电子邮件(IMAP/POP3/SMTP)代理服务器。有关Ngi
2020阿里招聘岗位要求
遇见OFFER
06-10 2万+
职位名称 职位描述 职位要求 阿里云智能事业群-中间件业务中台架构师-北京\杭州 1、负责阿里云中台项目的实施,设计行业业务中台解决方案,根据客户需求设计搭建业务中台,能把设计工作付诸实现 2、根据项目需求,进行业务领域建模分析、平台架构设计、技术方案预研、核心模块技术方案设计 3、指导和培养团队和合作伙伴成员,包括评审设计文档和代码 4、与团队共同推进标杆客户,制定符合市场需求的业务中台产品功能、业务流程及推广策略,赋能业务团队拿下市场份额,推动业务中台的业务增
遇见OFFER,阿里云最强技术团队现身招聘,“职”为你来
热门推荐
遇见OFFER
05-28 6万+
最近还在找工作吗?我们又来放送招聘信息啦!快来看看吧~
Lua移植到arm实现在arm上 c与lua互调
05-07
Lua移植到arm实现在arm上 c与lua互调
基于Lua脚本语言的嵌入式UART通信的实现
04-09
在现场应用中,可以达到仅修改 Lua 脚本文件就能完成IED 装置与不同的串口通信外围设备之间的数据交互功能,从而实现对装置串口通信规约的现场可配置化
lua编译问题总结
重思想
02-16 1万+
1、首先安装lua linux系统 make linux make install 2、编译 gcc -lm  -g -o test test.c /usr/local/lib/liblua.a -ldl 如果少-ldl,那么编译就会报: gcc -lm  -g -o test test.c /usr/local/lib/liblua.a  /usr/
OpenResty 概要及原理科普
朱小厮的博客
04-23 5445
点击上方“朱小厮的博客”,选择“设为星标”后台回复"高效Java"领取《Effective Java第三版》OpenResty® 是一个基于Nginx与 Lua 的高...
lua-arm平台交叉编译
CoomCon的博客
08-28 900
本文只记录写者如何进行交叉编译的,非教程或科普性文章,只用于记录,不建议大家阅读,因此设置为收费文章。简单来讲修改MakeFile编译工具直接make就行,需要注意的就是lua依赖readline库*
lua交叉编译移植到ARM-Linux
y345996249的博客
04-24 2212
很多arm-linux需要用到lua,但是lua默认只包含linux下的编译,这里需要根据交叉编译器修改编译文件Makefile,交叉编译lua。我从网上找了一些方法,但是发现都无法完全解决,或者不算完整,因此在这里做一下记录: 1、首先需要下载lua安装包,免费下载地址(我看了下在其他CSDN资源上要收7分的):http://www.tecgraf.puc-rio.br/lua/ftp/lua...
LUA笔记(4)----移植LUAARM平台
Eric_
01-07 2284
一,下载LUA的源码 下载地址:http://www.lua.org/download.html 解压下载的下载的压缩包 tar -xvf lua-5.1.4.tar.gz (解压到哪里都可以) 二,修改编译器 我用的交叉编译器器是arm-cortex_a9-linux-gnueabi-gcc 进入到刚才解压出来的文件夹中: cd lua-5.1.4/src 在src下有个...
Openresty安装2019
火侬智能科技
08-08 322
【安装环境】 yum install pcre-devel openssl-devel gcc curl yum install gcc pcre-devel openssl-devel curl yum install libreadline-dev libncurses5-dev libpcre3-dev libssl-dev yum install libxml2 libxml2-deve...
Docker封装Centos版OpenResty环境Lua文件
从这个压缩包的内容来看,这是一套完整的开发环境,可以通过Docker技术在CentOS操作系统上快速搭建OpenResty运行环境,同时支持使用Lua脚本编写动态Web应用。 【标签】中列出了“docker”,“lua”和“OpenResty”。...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值