openresty 请求鉴权
请求发往后端前,先对请求进行鉴权,鉴权通过发往后端
请求鉴权
auth_request 鉴权
请求发往后端前,auth_request发送子请求;
返回的状态码2xx,请求通过
返回的状态码4xx,拒绝通过
# 示例
location / {
# 发起子请求,进行鉴权
auth_request /auth;
# 鉴权通过后,将请求发送给后端处理
proxy_pass/fastcgi_pass/postgres_pass/...
}
ngx.capture 子请求鉴权
Note that when calling ngx.exit(ngx.OK) within a access_by_lua_block
handler, the Nginx request processing control flow will still continue
to the content handler. To terminate the current request from within a
access_by_lua_block handler, call ngx.exit with status >= 200 (ngx.HTTP_OK)
and status < 300 (ngx.HTTP_SPECIAL_RESPONSE) for successful quits and
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) (or its friends) for failures
* 调用ngx.exit(ngx.OK)会结束access_by_lua_block,继续执行后续操作
* status为2xx,access_by_lua_block执行成功
* status为4xx、5xx,access_by_lua_block执行失败
# 示例:使用ngx.location.capture模拟auth_request鉴权请求
location / {
# 子请求鉴权
access_by_lua_block {
local res = ngx.location.capture("/auth")
if res.status == ngx.HTTP_OK then
return
end
if res.status == ngx.HTTP_FORBIDDEN then
ngx.exit(res.status)
end
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
}
# 鉴权通过后,将请求发送给后端处理
proxy_pass/fastcgi_pass/postgres_pass/...
}
使用示例
***********
后端应用
HelloController
@RestController
public class HelloController {
@RequestMapping("/auth")
public void auth(HttpServletRequest request, HttpServletResponse response){
Enumeration<String> enumeration = request.getHeaderNames();
while (enumeration.hasMoreElements()){
String name = enumeration.nextElement();
System.out.println(name + " ==> " + request.getHeader(name));
}
String authorization = request.getHeader("Authorization");
if ("gtlx".equalsIgnoreCase(authorization)){
response.setStatus(200);
}else {
response.setStatus(401);
}
}
@RequestMapping("/hello")
public String hello(){
return "瓜田李下";
}
}
Dockerfile
from java:8
workdir /usr/local/jar
copy hello.jar app.jar
expose 8080
entrypoint ["java", "-jar", "app.jar"]
edit configuration ==> docker
启动docker 应用
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.7.2)
2022-07-29 02:09:24.518 INFO 1 --- [ main] com.example.demo.DemoApplication : Starting DemoApplication v0.0.1-SNAPSHOT using Java 1.8.0_111 on d61d6b0d8d4f with PID 1 (/usr/local/jar/app.jar started by root in /usr/local/jar)
2022-07-29 02:09:24.526 INFO 1 --- [ main] com.example.demo.DemoApplication : No active profile set, falling back to 1 default profile: "default"
2022-07-29 02:09:26.075 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
2022-07-29 02:09:26.105 INFO 1 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2022-07-29 02:09:26.106 INFO 1 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.65]
2022-07-29 02:09:26.237 INFO 1 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2022-07-29 02:09:26.238 INFO 1 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1604 ms
2022-07-29 02:09:26.851 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2022-07-29 02:09:26.871 INFO 1 --- [ main] com.example.demo.DemoApplication : Started DemoApplication in 3.005 seconds (JVM running for 3.557)
2022-07-29 02:09:28.459 INFO 1 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2022-07-29 02:09:28.459 INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2022-07-29 02:09:28.465 INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 6 ms
***********
openresty
default.conf
server {
listen 80;
server_name localhost;
location / {
root /usr/local/openresty/nginx/html;
index index.html index.htm;
}
location /test {
auth_request /check;
proxy_pass http://172.18.0.4:8080/hello;
}
location /test2 {
access_by_lua_block {
local cjson = require 'cjson';
local res, err = ngx.location.capture("/check");
-- ngx.say("res ==> ", cjson.encode(res));
if res.status == 200 then
ngx.exit(200);
else
ngx.exit(res.status);
end
}
proxy_pass http://172.18.0.4:8080/hello;
}
location /check {
proxy_pass http://172.18.0.4:8080/auth;
proxy_set_header Authorization $http_Authorization;
proxy_set_header name 'hzw';
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/openresty/nginx/html;
}
}
创建openresty容器
docker run -it -d --net fixed --ip 172.18.0.2 -p 9000:80 \
-v /Users/huli/lua/openresty/core/default.conf:/etc/nginx/conf.d/default.conf \
--name open-auth lihu12344/openresty
***********
使用测试
localhost:9000/test ==> Authorization=gtlx
# springboot 控制台输出
authorization ==> gtlx
name ==> hzw
host ==> 172.18.0.4:8080
connection ==> close
user-agent ==> PostmanRuntime/7.29.0
accept ==> */*
postman-token ==> fecbb948-e9a3-45c4-a39c-ea25c67f9e1f
accept-encoding ==> gzip, deflate, br
localhost:9000/test ==> Authorization=gtlx2
# springboot 控制台输出
authorization ==> gtlx2
name ==> hzw
host ==> 172.18.0.4:8080
connection ==> close
user-agent ==> PostmanRuntime/7.29.0
accept ==> */*
postman-token ==> 168aae93-d5e2-4243-8278-014f44db3ce9
accept-encoding ==> gzip, deflate, br
localhost:9000/test2 ==> Authorization=gtlx
# springboot 控制台输出
authorization ==> gtlx
name ==> hzw
host ==> 172.18.0.4:8080
connection ==> close
user-agent ==> PostmanRuntime/7.29.0
accept ==> */*
postman-token ==> 8aadba89-c3a9-4d8d-a09d-f3beab7df55f
accept-encoding ==> gzip, deflate, br
localhost:9000/test2 ==> Authorization=gtlx2
# springboot 控制台输出
authorization ==> gtlx2
name ==> hzw
host ==> 172.18.0.4:8080
connection ==> close
user-agent ==> PostmanRuntime/7.29.0
accept ==> */*
postman-token ==> b887942a-64c2-410d-b1e9-37cd778ef85e
accept-encoding ==> gzip, deflate, br