New to nginx_lua. Please be gentle ;) A few days of researching and experimenting with encouraging results. But time to make sure I am not heading into the wilderness of stupid. Appreciate any advice.
Here I am serving HLS index files (m3u8) and wish to protect them (surprise).
==================== location ~ ^/fetch/(?<tok>.+)$ { set $r 'raisin'; content_by_lua ' local cjson = require "cjson" local jwt = require "resty.jwt" local jwt_obj = jwt:verify("lua-resty-jwt", ngx.var.tok) ##ngx.say(cjson.encode(jwt_obj)) WORKS ngx.var.r = "in the sun"; '; add_header "X-Reason" "$r"; ## just testing. Does it fail to update because it is a header? ## proxy_pass will go here? ## log user_id of expired or bad hash }
====================
I experimented with JWT (https://jwt.io/) and discovered I can pack the info I need into a JWT string and still have a URL under 150 bytes.
So I want to use the JWT in the url. The location above receives it as $tok, and decodes it correctly into json.
Now I need to perform some checks, log any issues, and proxy_pass a valid request to an internal location.
The json object that gives a user_id, an expiry time, and a "real" location.
I need to "copy" the variables from lua to nginx. I think ngx.var.VARNAME = "value" within content_by_lua is what I need.
QUESTION #1
I set $r="raisin" to initialize the variable as directed at https://github.com/openresty/lua-nginx-module#ngxvarvariable
I know the content_by_lua block is executed correctly (trust me). But the extra header X-Reason is always "raisin" and never "in the sun".
I expected to see the X-Reason header changed in the content_by_lua block.
I suspect I am still thinking/reading procedurally, and that is not what is happening. But I'm not really able to explain why this is so.
How can I use lua vars outside the content_by_lua block ? Or is that a bad idea that I should avoid?
QUESTION #2
I notice the docs say "WARNING: This API requires a relatively expensive metamethod call and it is recommended to avoid using it on hot code paths." and this depresses me ;)
Am I correct to guess "hot code" means a location that has frequent hits? In this case I am serving m3u8 segments, so I expect frequent hits.
Is this a show stopper?
QUESTION #3
Am I nuts?
I liked the idea of serving a JWT url (without the header) because I think it is very secure. But to finish I need to...
a) check the expiry time. If expired, log the bad user and die with 403.
b) if good, proxy_pass to the given url (given in the json object). Ideally this comes to me as eg {url: 1234/foo} and I explode the folder and add on the m3u8 extension, so that I go to an internal location with a full url, eg domain/media/1/2/3/4/foo.mu3u8
Simple in most languages I know, but with nginx+lua I can see it will take some effort from me. Hard to be sure what will go inside content_by_lua and what will remain in the location block for nginx.
So before I kill myself... am I nuts? Is this reasonable, or am I asking too much of ngix+lua? In particular, is this the sort of thing the WARNING is directed at?
Are there other bits of LUA I should be looking at here that would achieve the same thing without the WARNING? ;)
Thank your for reading.
|