lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


 


New to nginx_lua. Please be gentle ;)
A few days of researching and experimenting with encouraging results.
But time to make sure I am not heading into the wilderness of stupid.
Appreciate any advice.

Here I am serving HLS index files (m3u8) and wish to protect them (surprise).

====================
location ~ ^/fetch/(?<tok>.+)$ {
set $r 'raisin';
content_by_lua '
local cjson = require "cjson"
local jwt = require "resty.jwt"
local jwt_obj = jwt:verify("lua-resty-jwt", ngx.var.tok)
##ngx.say(cjson.encode(jwt_obj)) WORKS
ngx.var.r = "in the sun";
';
add_header "X-Reason" "$r"; ## just testing. Does it fail to update because it is a header?
## proxy_pass will go here?
## log user_id of expired or bad hash
}
====================

I experimented with JWT (https://jwt.io/) and discovered I can pack the info I need into a JWT string and still have a URL under 150 bytes.

So I want to use the JWT in the url. The location above receives it as $tok, and decodes it correctly into json.

Now I need to perform some checks, log any issues, and proxy_pass a valid request to an internal location.

The json object that gives a user_id, an expiry time, and a "real" location.

I need to "copy" the variables from lua to nginx. I think ngx.var.VARNAME = "value" within content_by_lua is what I need.

QUESTION #1

I set $r="raisin" to initialize the variable as directed at https://github.com/openresty/lua-nginx-module#ngxvarvariable

I know the content_by_lua block is executed correctly (trust me). But the extra header X-Reason is always "raisin" and never "in the sun".

I expected to see the X-Reason header changed in the content_by_lua block.

I suspect I am still thinking/reading procedurally, and that is not what is happening. But I'm not really able to explain why this is so.

How can I use lua vars outside the content_by_lua block ? Or is that a bad idea that I should avoid?

QUESTION #2

I notice the docs say "WARNING: This API requires a relatively expensive metamethod call and it is recommended to avoid using it on hot code paths." and this depresses me ;)

Am I correct to guess "hot code" means a location that has frequent hits? In this case I am serving m3u8 segments, so I expect frequent hits.

Is this a show stopper?

QUESTION #3

Am I nuts?

I liked the idea of serving a JWT url (without the header) because I think it is very secure.
But to finish I need to...

a) check the expiry time. If expired, log the bad user and die with 403.

b) if good, proxy_pass to the given url (given in the json object). Ideally this comes to me as eg {url: 1234/foo} and I explode the folder and add on the m3u8 extension, so that I go to an internal location with a full url, eg domain/media/1/2/3/4/foo.mu3u8

Simple in most languages I know, but with nginx+lua I can see it will take some effort from me. Hard to be sure what will go inside content_by_lua and what will remain in the location block for nginx.

So before I kill myself... am I nuts? Is this reasonable, or am I asking too much of ngix+lua?
In particular, is this the sort of thing the WARNING is directed at?

Are there other bits of LUA I should be looking at here that would achieve the same thing without the WARNING? ;)

Thank your for reading.