xfy
6543422281
- config: 反向代理、缓存、负载均衡、安全、SSL 等配置模板 - lua: API 网关、认证、动态路由、限流、WebSocket 等脚本示例 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
107 lines
4.0 KiB
Nginx Configuration File
107 lines
4.0 KiB
Nginx Configuration File
# Authentication 示例 - NGINX 配置
|
||
#
|
||
# 演示如何在 Nginx 中集成 JWT 验证和 Basic Auth。
|
||
|
||
http {
|
||
# 共享内存区域(用于限流等场景)
|
||
lua_shared_dict auth_cache 10m;
|
||
|
||
server {
|
||
listen 8080;
|
||
server_name localhost;
|
||
|
||
# ==========================================
|
||
# 场景 1:JWT 验证的受保护端点
|
||
# ==========================================
|
||
location /api/secure {
|
||
access_by_lua_file /path/to/auth/jwt_validate.lua;
|
||
|
||
# 验证通过后,可以使用 JWT payload 中的信息
|
||
# ngx.ctx.jwt_payload 包含解码后的 payload
|
||
content_by_lua_block {
|
||
local payload = ngx.ctx.jwt_payload
|
||
if payload and payload.sub then
|
||
ngx.header["Content-Type"] = "application/json"
|
||
ngx.say('{"status": "ok", "user": "' .. payload.sub .. '"}')
|
||
else
|
||
ngx.say('{"status": "ok"}')
|
||
end
|
||
}
|
||
}
|
||
|
||
# ==========================================
|
||
# 场景 2:Basic Auth 的受保护端点
|
||
# ==========================================
|
||
location /api/admin {
|
||
access_by_lua_file /path/to/auth/basic_auth.lua;
|
||
|
||
content_by_lua_block {
|
||
local user = ngx.ctx.auth_user
|
||
ngx.header["Content-Type"] = "application/json"
|
||
ngx.say('{"status": "ok", "admin": "' .. user .. '"}')
|
||
}
|
||
}
|
||
|
||
# ==========================================
|
||
# 场景 3:公开端点(无需认证)
|
||
# ==========================================
|
||
location /api/public {
|
||
content_by_lua_block {
|
||
ngx.header["Content-Type"] = "application/json"
|
||
ngx.say('{"status": "ok", "message": "public endpoint"}')
|
||
}
|
||
}
|
||
|
||
# ==========================================
|
||
# 场景 4:组合认证(Basic Auth + JWT)
|
||
# 要求同时通过两种认证
|
||
# ==========================================
|
||
location /api/super-secure {
|
||
access_by_lua_block {
|
||
-- 先校验 Basic Auth(复用基本逻辑,不 exit)
|
||
local cjson = require "cjson.safe"
|
||
local hmac = require "resty.hmac"
|
||
|
||
-- Basic Auth
|
||
local auth = ngx.req.get_headers()["Authorization"]
|
||
if not auth or not auth:match("^Basic ") then
|
||
ngx.status = 401
|
||
ngx.header["WWW-Authenticate"] = 'Basic realm="Super Secure API"'
|
||
ngx.header["Content-Type"] = "application/json"
|
||
ngx.say(cjson.encode({ error = "basic auth required" }))
|
||
return ngx.exit(401)
|
||
end
|
||
|
||
-- JWT
|
||
if not auth:match("^Bearer ") then
|
||
-- 这里假设 Basic Auth 已通过,再检查 JWT
|
||
-- 实际场景中 Basic Auth 和 JWT 可能来自不同 header
|
||
end
|
||
|
||
-- 简化示例:仅校验 JWT Bearer
|
||
local jwt_token = ngx.req.get_headers()["X-JWT-Token"]
|
||
if not jwt_token then
|
||
ngx.status = 401
|
||
ngx.header["Content-Type"] = "application/json"
|
||
ngx.say(cjson.encode({ error = "JWT token required in X-JWT-Token header" }))
|
||
return ngx.exit(401)
|
||
end
|
||
}
|
||
|
||
content_by_lua_block {
|
||
ngx.header["Content-Type"] = "application/json"
|
||
ngx.say('{"status": "ok", "message": "both auth passed"}')
|
||
}
|
||
}
|
||
|
||
# ==========================================
|
||
# 健康检查端点
|
||
# ==========================================
|
||
location /health {
|
||
access_log off;
|
||
return 200 '{"status": "healthy"}';
|
||
add_header Content-Type application/json;
|
||
}
|
||
}
|
||
}
|