最近公司安全组给我们提了一个安全问题,说我们的静态资源图片没有做权限限制,拿到URL谁都可以访问,我们的静态资源都是由Nginx这个服务器直接做的映射,只有拿到对的URL确实可以随便访问,无奈,网上百度了下,问了下同事,那就做token验证吧,在有效期内验证通过才可以访问。
要做token验证,Nginx首先需要支持lua这个脚本语言。
Lua是一个嵌入式脚本语言,Lua由标准C编写而成,代码简洁优美,几乎在所有操作系统和平台上都可以编译,运行。 一个完整的Lua解释器不过200k,在所有脚本引擎中,Lua的速度是最快的。这一切都决定了Lua是作为嵌入式脚本的最佳选择. 这个描述来着百度百科。https://baike.baidu.com/item/lua/7570719?fr=aladdin
我们的Nginx默认是不支持的Lua脚本的,需要重新编译安装。
cd /root/server/nginx2
wget -c http://luajit.org/download/LuaJIT-2.0.4.tar.gz
tar xzvf LuaJIT-2.0.4.tar.gz
# 编译安装并指定安装目录
make install PREFIX=/root/server/install/luajit
# 建立一个软连接,虽然我也没明白为啥要这么做,但是不这么做,后面可能会报错
ln -s /root/server/install/luajit/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
安装完成之后,需要添加到环境变量中:
vim /etc/profile
export LUAJIT_LIB=/root/server/install/luajit/lib
export LUAJIT_INC=/root/server/install/luajit/include/luajit-2.0
# 是环境变量生效
source /etc/profile
ngx_devel_kit简称NDK,提供函数和宏处理一些基本任务,减轻第三方模块开发的代码量。
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
tar -zxvf v0.3.0.tar.gz
下载解压即可,无需安装,后面编译ng的时候指定到这个目录即可。
同样不需要编译,解压即可
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.9rc7.tar.gz
tar -zxvf v0.10.9rc7.tar.gz
# 安装依赖
yum install -y openssl openssl-devel zlib zlib-devel pcre-devel
wget https://nginx.org/download/nginx-1.14.2.tar.gz
tar -zxvf nginx-1.14.2.tar.gz
# 配置安装的目录,和前面提到的依赖模块,指定到自己下载的模块目录
./configure --prefix=/root/server/nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --add-module=/root/server/soft/lua-nginx-module-0.10.9rc7 --add-module=/root/server/soft/ngx_devel_kit-0.3.0 --with-stream
make
make install
到这儿nginx就安装完成了,启动下nginx就可以在浏览器输入ip和80端口就可以访问了。
wget https://github.com/SkyLothar/lua-resty-jwt
这个实际上用到的只是里面的lib/rest这个里面的脚本文件,其他的要不要无所谓。
然后在nginx.conf配置jwt
lua_package_path "/root/server/install/luajit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/?.lua;;";
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
location = /verify {
default_type text/html;
content_by_lua '
local cjson = require "cjson"
local jwt = require "resty.jwt"
local jwt_token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9" ..
".eyJmb28iOiJiYXIifQ" ..
".VAoRL1IU0nOguxURF2ZcKR0SGKE1gCbqwyh8u2MLAyY"
local jwt_obj = jwt:verify("lua-resty-jwt", jwt_token)
ngx.say(cjson.encode(jwt_obj))
';
}
重启ng之后,你会发现是不行的,会有各种错误等着你,去error.log中
2022/06/13 09:53:37 [error] 45509#0: *1 lua entry thread aborted: runtime error: content_by_lua(nginx.conf:53):4: attempt to call field 'sya' (a nil value)
stack traceback:
coroutine 0:
content_by_lua(nginx.conf:53): in function , client: 192.168.78.1, server: localhost, request: "GET /lua_test HTTP/1.1", host: "192.168.78.103"
2022/06/13 10:05:27 [error] 45683#0: *1 lua entry thread aborted: runtime error: content_by_lua(nginx.conf:66):2: module 'cjson' not found:
no field package.preload['cjson']
no file '/root/server/install/luajit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/cjson.lua'
no file './cjson.lua'
no file '/root/server/install/luajit/share/luajit-2.0.4/cjson.lua'
no file '/usr/local/share/lua/5.1/cjson.lua'
no file '/usr/local/share/lua/5.1/cjson/init.lua'
no file '/root/server/install/luajit/share/lua/5.1/cjson.lua'
no file '/root/server/install/luajit/share/lua/5.1/cjson/init.lua'
no file './cjson.so'
no file '/usr/local/lib/lua/5.1/cjson.so'
no file '/root/server/install/luajit/lib/lua/5.1/cjson.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
stack traceback:
首先是cjon 找不到,所以这个时候你需要安装cjson, 可以在这下载 https://download.csdn.net/download/u010741032/85676192,也可以去github去下载
下载好CJSON之后,需要编译,修改Makefile文件,将LUA_INCLUDE_DIR 改为lua安装的目录
LUA_VERSION = luajit-2.0
TARGET = cjson.so
PREFIX = /root/server/install/luajit
#CFLAGS = -g -Wall -pedantic -fno-inline
CFLAGS = -O3 -Wall -pedantic -DNDEBUG
CJSON_CFLAGS = -fpic
CJSON_LDFLAGS = -shared
LUA_INCLUDE_DIR = /root/server/install/luajit/include/luajit-2.0
LUA_CMODULE_DIR = $(PREFIX)/lib/lua/$(LUA_VERSION)
LUA_MODULE_DIR = $(PREFIX)/share/lua/$(LUA_VERSION)
LUA_BIN_DIR = $(PREFIX)/bin
修改好之后,就可以编译了
[root@node03 lua-cjson-2.1.0]# make && make install
make: Nothing to be done for `all'.
mkdir -p //root/server/install/luajit/lib/lua/luajit-2.0
cp cjson.so //root/server/install/luajit/lib/lua/luajit-2.0
chmod 755 //root/server/install/luajit/lib/lua/luajit-2.0/cjson.so
编译安装之后会生成一个cjson.so文件,复制到了这个//root/server/install/luajit/lib/lua/luajit-2.0 目录下,
需要把这个添加到环境变量中去:
export LUA_CPATH=/root/server/install/luajit/lib/lua/luajit-2.0/?.so
source /etc/profile生效之后,再访问token,还是报错
[C]: in function 'require'
content_by_lua(nginx.conf:65):2: in function , client: 192.168.78.1, server: localhost, request: "GET /verify HTTP/1.1", host: "192.168.78.103"
2022/06/13 12:11:58 [error] 55127#0: *1 open() "/root/server/nginx/html/verfiy" failed (2: No such file or directory), client: 192.168.78.1, server: localhost, request: "GET /verfiy HTTP/1.1", host: "192.168.78.103"
2022/06/13 12:12:10 [error] 55127#0: *1 lua entry thread aborted: runtime error: ...jit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/resty/jwt.lua:1: module 'cjson.safe' not found:
no field package.preload['cjson.safe']
no file '/root/server/install/luajit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/cjson/safe.lua'
no file './cjson/safe.lua'
no file '/root/server/install/luajit/share/luajit-2.0.4/cjson/safe.lua'
no file '/usr/local/share/lua/5.1/cjson/safe.lua'
no file '/usr/local/share/lua/5.1/cjson/safe/init.lua'
no file '/root/server/install/luajit/share/lua/5.1/cjson/safe.lua'
no file '/root/server/install/luajit/share/lua/5.1/cjson/safe/init.lua'
no file './cjson/safe.so'
no file '/usr/local/lib/lua/5.1/cjson/safe.so'
no file '/root/server/install/luajit/lib/lua/5.1/cjson/safe.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './cjson.so'
no file '/usr/local/lib/lua/5.1/cjson.so'
no file '/root/server/install/luajit/lib/lua/5.1/cjson.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
stack traceback:
这个时候其实是缺少脚本文件了,缺少的是jwt依赖的文件
https://github.com/jkeys089/lua-resty-hmac/tree/master/lib/resty
https://github.com/openresty/lua-resty-string/tree/master/lib/resty
将这里面的lua文件copy到jwt的那个resty目录下,也可以直接下载jwt文件https://download.csdn.net/download/u010741032/85676043
所以需要的lua文件如下:
这个时候是可以的了。
现在我们就可以写我们的脚本了 nginx-jwt.lua
local jwt = require "resty.jwt"
local cjson = require "cjson"
--your secret
local secret = "5pil6aOO5YaN576O5Lmf5q+U5LiN5LiK5bCP6ZuF55qE56yR"
local M = {}
function M.auth(claim_specs)
-- require Authorization request header
local auth_header = ngx.var.http_Authorization
if auth_header == nil then
ngx.log(ngx.WARN, "No Authorization header")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
ngx.log(ngx.INFO, "Authorization: " .. auth_header)
-- require Bearer token
local _, _, token = string.find(auth_header, "Bearer%s+(.+)")
if token == nil then
ngx.log(ngx.WARN, "Missing token")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
ngx.log(ngx.INFO, "Token: " .. token)
local jwt_obj = jwt:verify(secret, token)
if jwt_obj.verified == false then
ngx.log(ngx.WARN, "Invalid token: ".. jwt_obj.reason)
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
ngx.log(ngx.INFO, "JWT: " .. cjson.encode(jwt_obj))
-- write the uid variable
ngx.var.uid = jwt_obj.payload.sub
end
return M
secret 这个秘钥需要转为base64即可。
然后配置nginx.con文件:
lua_package_path "/root/server/install/luajit/share/lua/5.1/lua-resty-jwt-0.1.11/lib/?.lua;;";
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
location /logo {
access_by_lua_block {
local obj = require('nginx-jwt')
obj.auth()
}
root /root/server/data/;
index index.html index.htm;
}
这么安装实际上太麻烦了,可以直接用openresty 这个集成了各种库的软件来搞,因为它本身就已经集成了很多库,比如cjson,加解密模块sha256等,这么安装要简单的多:
wget https://openresty.org/download/openresty-1.19.3.1.tar.gz
//配置安装目录,
./configure --prefix=/root/server/nginx/openresty
make
make install
然后再配置下jwt 就完了,简单得多了。
参考连接:
https://www.base64encode.org/
https://www.cnblogs.com/lgj8/p/12065909.html?share_token=60565328-6d91-473b-bd2c-67aabf8105eb
https://wiki.jikexueyuan.com/project/openresty/lua/class.html
https://github.com/SkyLothar/lua-resty-jwt/releases
| 留言与评论(共有 0 条评论) “” |
