So is "rewrite_by_lua" also evil?

Nginx User nginx at
Wed Oct 12 04:12:33 UTC 2011

On 12 October 2011 03:15, agentzh <agentzh at> wrote:
> On Wed, Oct 12, 2011 at 12:03 AM, Nginx User <nginx at> wrote:
>> Anyway, when I have the following (simplified) in firewall.default ....
>> if ($http_user_agent ~* libwww ) {
>>        return 403;
>> }
>> ... everything is fine. When a php request is made, libwww user agents
>> are denied and others get the php output.
> You're using the "~*" operator here and that means "case insensitive
> match", see
>> When I use the following (simplified) rewrite_by_lua equivalent instead ....
>> rewrite_by_lua '
>>        if ngx.var.http_user_agent == "libwww" then
>>                ngx.exit(ngx.HTTP_FORBIDDEN)
>>        end
>> ';
> Note that you're using "==" here in Lua which is exact string comparison :)
It is a simplified config. I actually run lua's string.find first and
test for a hit.
I know with the "i" modifier would be better but it does
not work ... maybe I need to update lua module version. I thought I'll
look into that later.
Anyway, the exact implementation will cause the "if" block to be skipped.

>> The php file is downloaded. Obviously I don't have the "libwww" when
>> testing so I suppose the lua "if" block is skipped at which point the
>> physical php file is found and sent to the user as is and the
>> proxy_pass directive is not run.
> Which version of ngx_lua are you using? Please show me your "nginx -V"
> output? And which OS are you using? I've tested your example with
> ngx_lua git master HEAD on Slackware Linux x86_64 and do not have any
> issues :)

Centos 5.7 i386.
lua module is 0.2.0

nginx: nginx version: nginx/1.0.6
nginx: built by gcc 4.1.2 20080704 (Red Hat 4.1.2-50)
nginx: TLS SNI support disabled
nginx: configure arguments: --user=nginx --group=nginx
--prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx
--pid-path=/var/run/ --lock-path=/var/lock/subsys/nginx
--with-http_ssl_module --with-http_realip_module
--with-http_stub_status_module --with-http_perl_module --with-mail
--with-mail_ssl_module --with-cc-opt='-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
--without-http_autoindex_module --without-http_empty_gif_module
--without-http_memcached_module --without-http_scgi_module
--without-http_split_clients_module --without-http_ssi_module
--without-http_upstream_ip_hash_module --without-http_uwsgi_module

> Also, enabling --with-debug in your nginx build and show me the
> relevant sections of your error.log on the debug error log level will
> be helpful too :)

I'll get this later.


More information about the nginx mailing list