If this is the first time you read this article, you can read this introductory article about openresty first: Overview of Openresty
When using a proxy, you may need to verify to access the requested token. The verification token code is also operated in the lua script file, and then intercepted through the access_by_lua_file process, and then obtain the token inside, conduct verification, and do some customization whether the verification passes or not. operate.
Using openresty to implement jwt token verification requires the following steps:
- Write Lua script files to achieve token acquisition and verification
- Add dependent library source files to the lualib directory
- Copy the lua code file to the path
- Modify the nginx.conf file and obtain the verification code for token
1. Write lua script file
The script file implements the token acquisition of the request header, and then uses the function to verify the token. Our command is the lua file access.lua. The source code is as follows:
local jwt = require "resty.jwt"
local cjson = require "cjson"
local secret = "token secret key"
local retdata = {
code=ngx.HTTP_UNAUTHORIZED,
message="token验证失败",
data={}
}
local auth_header = ngx.req.get_headers()["Auth"]
--ngx.log(ngx.INFO, "auth_header = ",auth_header)
if auth_header == nil then
ngx.log(ngx.ERR, "No Auth header")
ngx.status = ngx.HTTP_UNAUTHORIZED
ngx.header["Content-type"] = 'application/json'
local output = cjson.encode(retdata)
ngx.say(output)
return ngx.exit(0)
end
local jwt_obj = jwt:verify(secret, auth_header)
if jwt_obj.verified == false then
ngx.log(ngx.ERR, "Invalid token: ".. jwt_obj.reason)
ngx.status = ngx.HTTP_UNAUTHORIZED
ngx.header.content_type = "application/json; charset=utf-8"
ngx.header["Content-type"] = 'application/json'
local output = cjson.encode(retdata)
ngx.say(output)
return ngx.exit(0)
end
It can be seen from the above code that we referenced the jwt module, and then first defined a secret variable in the code. This variable is the secret key for generating tokens using jwt. The secret keys for generating tokens and verifying tokens must be the same, otherwise the token will not be verified. ;Then the code obtains the token value with the key value Auth from the request header. You can modify this key value at will, as long as it is consistent. If the acquisition fails, it will directly return the authentication failure. If the acquisition is successful, the next step is to verify the validity of the token. , if verification fails, token authentication failure information will also be returned.
2. Add dependent library source files to the lualib directory
During the final execution, it may be reported that there is no jwt dependent library. You need to copy some dependent files to the /usr/local/openresty/lualib/resty directory. Copy the following files. There are four files and their names are
evp.lua
hmac.lua
jwt-validators.lua
jwt.lua
Since there is a lot of code, I packaged it into a compressed file, you can go here: resty.jwt dependency library download address
3. Copy the lua code file
Copy the written access.lua file to the path /usr/local/openresty/nginx/lua/. If the path does not exist, create a new path.
4. Modify the nginx.conf file
Modify the file content in the nginx.conf file as follows to achieve token acquisition and verification.
#user nobody;
worker_processes 1;
error_log logs/error.log error;
error_log logs/error.log notice;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# access_log logs/access.log main;
# error_log logs/error.log error;
lua_package_path "/usr/local/openresty/lualib/?.lua;/usr/local/openresty/nginx/lua/?.lua;";
lua_package_cpath "/usr/local/openresty/lualib/?.so;;";
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
proxy_connect_timeout 3s;
#gzip on;
# HTTPS server
server {
listen 80;
server_name localhost;
location / {
access_by_lua_file lua/access.lua;
#设置代理目的url变量
proxy_pass https://127.0.0.1;
}
}
}
lua_package_path "/usr/local/openresty/lualib/?.lua;/usr/local/openresty/nginx/lua/?.lua;";
and
access_by_lua_file lua/access.lua;
The first sentence is to add the path of the Lua code. The second sentence of code specifies that all requests will go through the access.lua file, where the content implemented by the previous code is implemented, mainly to obtain the token in the header, and then verify the token to implement use. The lua code completes the token verification function of jwt.