So is "rewrite_by_lua" also evil?

Nginx User nginx at nginxuser.net
Wed Oct 12 04:12:33 UTC 2011


Hi
On 12 October 2011 03:15, agentzh <agentzh at gmail.com> wrote:
> On Wed, Oct 12, 2011 at 12:03 AM, Nginx User <nginx at nginxuser.net> wrote:
>> Anyway, when I have the following (simplified) in firewall.default ....
>>
>> if ($http_user_agent ~* libwww ) {
>>        return 403;
>> }
>>
>> ... everything is fine. When a php request is made, libwww user agents
>> are denied and others get the php output.
>>
>
> You're using the "~*" operator here and that means "case insensitive
> match", see http://wiki.nginx.org/HttpCoreModule#location
>
>> When I use the following (simplified) rewrite_by_lua equivalent instead ....
>>
>> rewrite_by_lua '
>>        if ngx.var.http_user_agent == "libwww" then
>>                ngx.exit(ngx.HTTP_FORBIDDEN)
>>        end
>> ';
>>
>
> Note that you're using "==" here in Lua which is exact string comparison :)
>
It is a simplified config. I actually run lua's string.find first and
test for a hit.
I know ngx.re.match with the "i" modifier would be better but it does
not work ... maybe I need to update lua module version. I thought I'll
look into that later.
Anyway, the exact implementation will cause the "if" block to be skipped.

>> The php file is downloaded. Obviously I don't have the "libwww" when
>> testing so I suppose the lua "if" block is skipped at which point the
>> physical php file is found and sent to the user as is and the
>> proxy_pass directive is not run.
>>
>
> Which version of ngx_lua are you using? Please show me your "nginx -V"
> output? And which OS are you using? I've tested your example with
> ngx_lua git master HEAD on Slackware Linux x86_64 and do not have any
> issues :)

Centos 5.7 i386.
lua module is 0.2.0

nginx: nginx version: nginx/1.0.6
nginx: built by gcc 4.1.2 20080704 (Red Hat 4.1.2-50)
nginx: TLS SNI support disabled
nginx: configure arguments: --user=nginx --group=nginx
--prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
--pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx
--with-http_ssl_module --with-http_realip_module
--with-http_stub_status_module --with-http_perl_module --with-mail
--with-mail_ssl_module --with-cc-opt='-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables'
--add-module=/usr/src/redhat/BUILD/nginx-1.0.6/nginx-upstream-fair
--add-module=/usr/src/redhat/BUILD/nginx-1.0.6/ngx_cache_purge-1.3
--add-module=/usr/src/redhat/BUILD/nginx-1.0.6/ngx-headers-more
--add-module=/usr/src/redhat/BUILD/nginx-1.0.6/ngx-devel-kit
--add-module=/usr/src/redhat/BUILD/nginx-1.0.6/ngx-echo-module
--add-module=/usr/src/redhat/BUILD/nginx-1.0.6/ngx-lua-module
--add-module=/usr/src/redhat/BUILD/nginx-1.0.6/ngx_auth_request-module
--without-http_autoindex_module --without-http_empty_gif_module
--without-http_memcached_module --without-http_scgi_module
--without-http_split_clients_module --without-http_ssi_module
--without-http_upstream_ip_hash_module --without-http_uwsgi_module

>
> Also, enabling --with-debug in your nginx build and show me the
> relevant sections of your error.log on the debug error log level will
> be helpful too :)

I'll get this later.

Thanks



More information about the nginx mailing list