Advise to develop a rights-control module

agentzh agentzh at gmail.com
Sat Sep 17 05:48:50 UTC 2011


On Fri, Sep 16, 2011 at 11:17 PM, Legrand Jérémie
<jeremie.legrand at atos.net> wrote:
> I need to develop a module that  check the rights of an user regarding to
> URI parameters.
> User is allowed : I send the request to backend server with proxy_pass
>
> User is not allowed : I need to generate a body response displaying
> information about the error.
>

I think this is a perfect use case for the ngx_lua module
(http://wiki.nginx.org/HttpLuaModule ). See the following example:

    location / {
        access_by_lua '
            if ngx.var.arg_foo == "BAD" then
                ngx.status = 403
                ngx.print("you are not allowed due to bad foo param:
", ngx.var.arg_foo)
                ngx.exit(ngx.HTTP_OK)
            end
        ';

        proxy_pass http://...;
    }

We first check if the URI parameter "foo" equals to "BAD", if yes,
just emit a 403 error page with custom response body and exit the
whole request processing process. Otherwise, we just quit the access
phase and continue to proxy_pass as usual. If your validation logic is
so complicated that must be done in C, then you can write a simple Lua
C module (or just LuaJIT's excellent FFI feature).

If you insist in rolling out your own Nginx C module, you can just
take a look at how ngx_lua handles these behind the scene.

>
> This module should be like access and auth_basic module launched during the
> NGX_HTTP_ACCESS_PHASE but in this phase I can’t send a body response.
>

No, you can surely send response and short-circuit request processing
in the access phase, as demonstrated above :)

Regards,
-agentzh



More information about the nginx-devel mailing list