1

I have a nginx server which I am using as forward proxy. I want to add a layer of authentication to the architecture and I am using Lua for the same.

I am using https://github.com/bungle/lua-resty-session module to enable session in lua.

local session = require "resty.session".open{ cookie = { domain =  cookie_domain } }
-- Read some data
if session.present then
   ngx.log(ngx.ERR, "Session -- "..session.id)
end
if not session.started then 
   session:start()
   ngx.log(ngx.ERR, "Started -- ")
end

After each requests received on the server, I get the log message

Started --

Server configuration:

server {
        listen 80;
        server_name {SERVER_IP};
        # tons of pagespeed configuration
        location / {
                #basic authentication
                ##auth_basic "Restricted";
                ##auth_basic_user_file {PATH_FOR_HTPASS_FILE};
                access_by_lua_file {PATH_FOR_LUA_FILE};

                # cache name
                proxy_cache browser_cache;

                resolver 8.8.8.8;
                # app1 reverse proxy follow
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://$http_host$uri$is_args$args;
        }
}

The only issue I see is the cookie_domain, the server does not have a domain pointed and I am passing IP address of the server as cookie_domain. I am not able to figure-out the cause of the Issue.

Improve this question

2 Answers 2

Reset to default
3

I am the author of that component. I will give you a few answers. First answer, why do you always get Started -- logged is because session.started will only be set to true if you start the session. Here you only open the session. So the line:

if not session.started then ... end

will always be true.

open and start are different in that sense that open will not try to renew the cookie if it is about to expire. And open will not start a new session if one is not present (session.present). Basically you use open only when you don't want to auto renew cookies, and you want only the readonly access to it.

I will shortly answer what may cause the problem with reconnecting the session (I suspect that client may not send the cookie back, and it may be because of some cookie attributes, have you tried not specifying domain)?

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Hi @bungle, I guess, the issue is sorted. Here is the final piece of code which worked. local session = session or require "resty.session".start{ secret = "7A7mLtj97p4658r2KahQ6A48awHG2b9d" } But I am stuck with setting and retrieving session variable.. I am looking into it! Thanks alot.
I don't know what that piece does as I don't see all code. What is that: session or ... ? You may set session variable with session.data.variable = "value".
Actually I saw a piece of code in lua which uses d variable directly from the memory instead of re-assigning it.. local session = session or require "resty.session".start{ secret = "7A7mLtj97p4658r2KahQ6A48awHG2b9d" }. Secondly I am through with the session variable issue as well. Thanks!
Oh, okay, a global Lua variable to prevent calling start twice, or something.
1

Example Nginx Config:

server {
    listen 8090;
    server_name 127.0.0.1;
    location / {
        access_by_lua_block {
            local session = require "resty.session".open{
                cookie = { domain = "127.0.0.1" }
            }
            if session.present then
                ngx.log(ngx.ERR, "Session -- " .. ngx.encode_base64(session.id))
            else
                session:start()
                ngx.log(ngx.ERR, "Started -- " .. ngx.encode_base64(session.id))
            end
        }
        content_by_lua_block {
            ngx.say "Hello"
        }
    }
}

Now open a browser with url http://127.0.0.1:8090/.

Server will send you this header:

Set-Cookie:
       session=acYmlSsZsK8pk5dPMu8Cow..|
       1489250635|
       lXibGK3hmR1JLPG61IOsdA..|
       RdUK16cMz6c3tDGjonNahFUCpyY.;
       Domain=127.0.0.1;
       Path=/;
       SameSite=Lax;
       HttpOnly

And this will be logged in your Nginx error.log:

2017/03/11 17:43:55 [error] 1100#0: *2
[lua] access_by_lua(nginx.conf:21):7:
Started -- acYmlSsZsK8pk5dPMu8Cow==,
client: 127.0.0.1,
server: 127.0.0.1,
request: "GET / HTTP/1.1",
host: "127.0.0.1:8090"

Just what we wanted. Now refresh the browser by going to same url (F5 on Windows, CMD-R on Mac). Now the client will send this header to the server:

Cookie: session=acYmlSsZsK8pk5dPMu8Cow..|
      1489250635|
      lXibGK3hmR1JLPG61IOsdA..|
      RdUK16cMz6c3tDGjonNahFUCpyY.

Everything still just fine. And this gets logged to Nginx error.log:

2017/03/11 17:51:44 [error] 1100#0: *3
[lua] access_by_lua(nginx.conf:21):4:
Session -- acYmlSsZsK8pk5dPMu8Cow==,
client: 127.0.0.1,
server: 127.0.0.1,
request: "GET / HTTP/1.1",
host: "127.0.0.1:8090"

See, it didn't log the Started here.

Please also read this: https://github.com/bungle/lua-resty-session#notes-about-turning-lua-code-cache-off

If you have: lua_code_cache off; then you need to set the secret otherwise the different secret will be renegerated on every requests, and that means that we will never be able to attach to previously opened session, which means Started will be logged on every requests.

One additional note:

In general you shouldn't set the domain if you are accessing (single) IP address, because, well, browsers will by default send the cookies back only to that same IP address, which means that it doesn't really matter to pass domain argument in a cookie.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.