client certificates

Igor Sysoev is at rambler-co.ru
Thu Dec 28 14:36:02 MSK 2006


On Thu, 28 Dec 2006, Aleksandar Lazic wrote:

> I want to use some client certificates to act with my application user
> db.
>
> What I think is like this:
>
> ---
> perl_set $pass MyAuthCheck;
>
> location / {
>   if ($pass) {
>     .
>     fastcgi_pass ...
>     .
>   }
>   return 403;
> }
> ---
> MyAuthCheck(pseudo code):
> ---
> .
> .
> if( select user from $DB where USER = mysql_quote($ssl_client_s_dn) ||
>   select user from $DB where USER = mysql_quote($ssl_client_i_dn)){
> .
> .
> return OK;
> }else {
> .
> .
> return DECLINED;
> }
> ---
>
> Is it possible to get the
>
> http://wiki.codemongers.com/NginxHttpSslModule
> => variables at the bottom of the site into perl?

Yes, since 0.4.12 you can use

     $my $ssl_client_s_dn = $r->variable("ssl_client_s_dn");

> As far as I have understand the perl-module there is the same problem as
> in lighty with lua:
>
> http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet#overview
>
> ---
> Keep in mind that the magnet is executed in the core of lighty. EVERY
> long-running operation is blocking ALL connections in the server.
> ---
>
> Is this assumption right?

Yes, you are right and this is documented in
http://wiki.codemongers.com/NginxEmbeddedPerlModule

---
2. If a Perl module performs protracted operation, (for example DNS
    lookups, database queries, etc), then the process that is running
    the Perl script is completely tied up for the duration of script.
    Therefore embedded Perl scripts should be extremely careful to limit
    themselves to short, predictable operations.
---

Since 0.5.3 the ngx_http_perl_module supports

    $r->sleep(milliseconds, \&continuation_handler);

to delay a perl processing and return a control to the nginx:

     package hello;

     use nginx;

     sub handler {
         my $r = shift;

         $r->variable("var", "OK");
         $r->sleep(1000, \&next);

         return OK;
     }

     sub next {
         my $r = shift;

         $r->send_http_header;
         $r->print($r->variable("var"));

         return OK;
     }

     1;

     __END__


I have plan to add such non-blocking continuation perl interfaces to DNS
and MySQL. The some part of MySQL code was even written in May 2006 but
now it is frozen.

However, the main problem with "perl_set $pass MyAuthCheck;" is that
currently nginx variables does not support non-blocking interface.
I have plan to add it too.


Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list