当前位置：首页 > 技术文章 > 正文内容

Nginx鉴权，验证token

arlanguage4个月前 (12-25)技术文章33

背景

最近公司安全组给我们提了一个安全问题，说我们的静态资源图片没有做权限限制，拿到URL谁都可以访问，我们的静态资源都是由Nginx这个服务器直接做的映射，只有拿到对的URL确实可以随便访问，无奈，网上百度了下，问了下同事，那就做token验证吧，在有效期内验证通过才可以访问。
要做token验证，Nginx首先需要支持lua这个脚本语言。

Lua是一个嵌入式脚本语言，Lua由标准C编写而成，代码简洁优美，几乎在所有操作系统和平台上都可以编译，运行。一个完整的Lua解释器不过200k，在所有脚本引擎中，Lua的速度是最快的。这一切都决定了Lua是作为嵌入式脚本的最佳选择. 这个描述来着百度百科。https://baike.baidu.com/item/lua/7570719?fr=aladdin
我们的Nginx默认是不支持的Lua脚本的，需要重新编译安装。

1. 安装Lua

cd  /root/server/nginx2
wget -c http://luajit.org/download/LuaJIT-2.0.4.tar.gz
tar xzvf LuaJIT-2.0.4.tar.gz
# 编译安装并指定安装目录
make install PREFIX=/root/server/install/luajit
# 建立一个软连接，虽然我也没明白为啥要这么做，但是不这么做，后面可能会报错
ln -s /root/server/install/luajit/lib/libluajit-5.1.so.2  /lib64/libluajit-5.1.so.2

安装完成之后，需要添加到环境变量中：

vim /etc/profile
export LUAJIT_LIB=/root/server/install/luajit/lib
export LUAJIT_INC=/root/server/install/luajit/include/luajit-2.0
# 是环境变量生效
source /etc/profile

2. 下载安装NDK

ngx_devel_kit简称NDK，提供函数和宏处理一些基本任务，减轻第三方模块开发的代码量。

wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
tar -zxvf v0.3.0.tar.gz

下载解压即可，无需安装，后面编译ng的时候指定到这个目录即可。

3. 下载Nginx的扩展模块 lua-nginx-module

 同样不需要编译，解压即可

wget https://github.com/openresty/lua-nginx-module/archive/v0.10.9rc7.tar.gz

tar -zxvf v0.10.9rc7.tar.gz

4. 下载安装Nginx

# 安装依赖
yum install -y openssl openssl-devel zlib zlib-devel pcre-devel
wget https://nginx.org/download/nginx-1.14.2.tar.gz
tar -zxvf nginx-1.14.2.tar.gz 
# 配置安装的目录，和前面提到的依赖模块，指定到自己下载的模块目录
./configure --prefix=/root/server/nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --add-module=/root/server/soft/lua-nginx-module-0.10.9rc7 --add-module=/root/server/soft/ngx_devel_kit-0.3.0 --with-stream

make
make install

到这儿nginx就安装完成了，启动下nginx就可以在浏览器输入ip和80端口就可以访问了。

5. 下载jwt模块

wget https://github.com/SkyLothar/lua-resty-jwt

这个实际上用到的只是里面的lib/rest这个里面的脚本文件，其他的要不要无所谓。

然后在nginx.conf配置jwt

 lua_package_path "/root/server/install/luajit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/?.lua;;";
server {
        listen       80;
        server_name  localhost;
        #charset koi8-r;
        #access_log  logs/host.access.log  main;
        location / {
            root   html;
            index  index.html index.htm;
        }
           location = /verify {
            default_type text/html;
            content_by_lua '
                 local cjson = require "cjson"
                local jwt = require "resty.jwt"

                local jwt_token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9" ..
                    ".eyJmb28iOiJiYXIifQ" ..
                    ".VAoRL1IU0nOguxURF2ZcKR0SGKE1gCbqwyh8u2MLAyY"
                local jwt_obj = jwt:verify("lua-resty-jwt", jwt_token)
                ngx.say(cjson.encode(jwt_obj))
            ';
        }

重启ng之后，你会发现是不行的，会有各种错误等着你，去error.log中

2022/06/13 09:53:37 [error] 45509#0: *1 lua entry thread aborted: runtime error: content_by_lua(nginx.conf:53):4: attempt to call field 'sya' (a nil value)
stack traceback:
coroutine 0:
        content_by_lua(nginx.conf:53): in function <content_by_lua(nginx.conf:53):1>, client: 192.168.78.1, server: localhost, request: "GET /lua_test HTTP/1.1", host: "192.168.78.103"
2022/06/13 10:05:27 [error] 45683#0: *1 lua entry thread aborted: runtime error: content_by_lua(nginx.conf:66):2: module 'cjson' not found:
        no field package.preload['cjson']
        no file '/root/server/install/luajit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/cjson.lua'
        no file './cjson.lua'
        no file '/root/server/install/luajit/share/luajit-2.0.4/cjson.lua'
        no file '/usr/local/share/lua/5.1/cjson.lua'
        no file '/usr/local/share/lua/5.1/cjson/init.lua'
        no file '/root/server/install/luajit/share/lua/5.1/cjson.lua'
        no file '/root/server/install/luajit/share/lua/5.1/cjson/init.lua'
        no file './cjson.so'
        no file '/usr/local/lib/lua/5.1/cjson.so'
        no file '/root/server/install/luajit/lib/lua/5.1/cjson.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'
stack traceback:

首先是cjon 找不到，所以这个时候你需要安装cjson，可以在这下载 https://download.csdn.net/download/u010741032/85676192，也可以去github去下载
下载好CJSON之后，需要编译，修改Makefile文件，将LUA_INCLUDE_DIR 改为lua安装的目录

LUA_VERSION =       luajit-2.0
TARGET =            cjson.so
PREFIX =            /root/server/install/luajit
#CFLAGS =            -g -Wall -pedantic -fno-inline
CFLAGS =            -O3 -Wall -pedantic -DNDEBUG
CJSON_CFLAGS =      -fpic
CJSON_LDFLAGS =     -shared
LUA_INCLUDE_DIR =   /root/server/install/luajit/include/luajit-2.0
LUA_CMODULE_DIR =   $(PREFIX)/lib/lua/$(LUA_VERSION)
LUA_MODULE_DIR =    $(PREFIX)/share/lua/$(LUA_VERSION)
LUA_BIN_DIR =       $(PREFIX)/bin

修改好之后，就可以编译了

[root@node03 lua-cjson-2.1.0]# make && make install
make: Nothing to be done for `all'.
mkdir -p //root/server/install/luajit/lib/lua/luajit-2.0
cp cjson.so //root/server/install/luajit/lib/lua/luajit-2.0
chmod 755 //root/server/install/luajit/lib/lua/luajit-2.0/cjson.so

编译安装之后会生成一个cjson.so文件，复制到了这个//root/server/install/luajit/lib/lua/luajit-2.0 目录下，
需要把这个添加到环境变量中去：

export LUA_CPATH=/root/server/install/luajit/lib/lua/luajit-2.0/?.so

source /etc/profile生效之后，再访问token，还是报错

        [C]: in function 'require'
        content_by_lua(nginx.conf:65):2: in function <content_by_lua(nginx.conf:65):1>, client: 192.168.78.1, server: localhost, request: "GET /verify HTTP/1.1", host: "192.168.78.103"
2022/06/13 12:11:58 [error] 55127#0: *1 open() "/root/server/nginx/html/verfiy" failed (2: No such file or directory), client: 192.168.78.1, server: localhost, request: "GET /verfiy HTTP/1.1", host: "192.168.78.103"
2022/06/13 12:12:10 [error] 55127#0: *1 lua entry thread aborted: runtime error: ...jit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/resty/jwt.lua:1: module 'cjson.safe' not found:
        no field package.preload['cjson.safe']
        no file '/root/server/install/luajit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/cjson/safe.lua'
        no file './cjson/safe.lua'
        no file '/root/server/install/luajit/share/luajit-2.0.4/cjson/safe.lua'
        no file '/usr/local/share/lua/5.1/cjson/safe.lua'
        no file '/usr/local/share/lua/5.1/cjson/safe/init.lua'
        no file '/root/server/install/luajit/share/lua/5.1/cjson/safe.lua'
        no file '/root/server/install/luajit/share/lua/5.1/cjson/safe/init.lua'
        no file './cjson/safe.so'
        no file '/usr/local/lib/lua/5.1/cjson/safe.so'
        no file '/root/server/install/luajit/lib/lua/5.1/cjson/safe.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'
        no file './cjson.so'
        no file '/usr/local/lib/lua/5.1/cjson.so'
        no file '/root/server/install/luajit/lib/lua/5.1/cjson.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'
stack traceback:

这个时候其实是缺少脚本文件了，缺少的是jwt依赖的文件

https://github.com/jkeys089/lua-resty-hmac/tree/master/lib/resty
https://github.com/openresty/lua-resty-string/tree/master/lib/resty

将这里面的lua文件copy到jwt的那个resty目录下，也可以直接下载jwt文件https://download.csdn.net/download/u010741032/85676043

所以需要的lua文件如下：

这个时候是可以的了。
现在我们就可以写我们的脚本了 nginx-jwt.lua

local jwt = require "resty.jwt"
local cjson = require "cjson"
--your secret
local secret = "5pil6aOO5YaN576O5Lmf5q+U5LiN5LiK5bCP6ZuF55qE56yR"

local M = {}

function M.auth(claim_specs)
    -- require Authorization request header
    local auth_header = ngx.var.http_Authorization

    if auth_header == nil then
        ngx.log(ngx.WARN, "No Authorization header")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    ngx.log(ngx.INFO, "Authorization: " .. auth_header)

    -- require Bearer token
    local _, _, token = string.find(auth_header, "Bearer%s+(.+)")

    if token == nil then
        ngx.log(ngx.WARN, "Missing token")
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    ngx.log(ngx.INFO, "Token: " .. token)

    local jwt_obj = jwt:verify(secret, token)
    if jwt_obj.verified == false then
        ngx.log(ngx.WARN, "Invalid token: ".. jwt_obj.reason)
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end

    ngx.log(ngx.INFO, "JWT: " .. cjson.encode(jwt_obj))

    -- write the uid variable
    ngx.var.uid = jwt_obj.payload.sub
end

return M

secret 这个秘钥需要转为base64即可。

然后配置nginx.con文件：

 lua_package_path "/root/server/install/luajit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/?.lua;;";
server {
        listen       80;
        server_name  localhost;
        #charset koi8-r;
        #access_log  logs/host.access.log  main;
        location / {
            root   html;
            index  index.html index.htm;
        }

       location /logo {
             access_by_lua_block {
        local obj = require('nginx-jwt')
        obj.auth()
      }
        root   /root/server/data/;
            index  index.html index.htm;
        }

6. openresty

这么安装实际上太麻烦了，可以直接用openresty 这个集成了各种库的软件来搞，因为它本身就已经集成了很多库，比如cjson，加解密模块sha256等，这么安装要简单的多：

wget https://openresty.org/download/openresty-1.19.3.1.tar.gz

//配置安装目录，
./configure  --prefix=/root/server/nginx/openresty
make
make install

然后再配置下jwt 就完了，简单得多了。

参考连接：

https://www.base64encode.org/
https://www.cnblogs.com/lgj8/p/12065909.html?share_token=60565328-6d91-473b-bd2c-67aabf8105eb
https://wiki.jikexueyuan.com/project/openresty/lua/class.html
https://github.com/SkyLothar/lua-resty-jwt/releases

扫描二维码推送至手机访问。

本文链接：http://www.arlanguage.com/post/436.html

标签: nginx下载模块

分享给朋友：

返回列表

上一篇：nginx使用geoIP模块实现不同国别后缀域名的跳转

下一篇：Nginx安装

AR编程网

Nginx鉴权，验证token

背景

1. 安装Lua

2. 下载安装NDK

3. 下载Nginx的扩展模块 lua-nginx-module

4. 下载安装Nginx

5. 下载jwt模块

6. openresty

“Nginx鉴权，验证token” 的相关文章

nginx -> frps -> frpc -> 内网服务器

docker安装php

网站nginx配置限制单个IP访问频率，预防DDOS恶意攻击

配置nginx代理grafana实现域名访问

Nginx负载均衡之ip hash与hash模块，弥补Round-Robin的缺陷

别让SSL证书暴露了你的网站服务器IP

滇ICP备2024046894号-3