From 96149f51bea0acaa2b0b0ac65ca81740742dc2d7 Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Wed, 20 Nov 2024 11:03:26 +0530 Subject: [PATCH 1/2] NGINX: Add NJS Signed-off-by: Anurag Rajawat --- images/nginx/rootfs/build.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 3baf775fca..3d08f7d397 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -106,6 +106,9 @@ export OPENTELEMETRY_CPP_VERSION="v1.11.0" # Check on https://github.com/open-telemetry/opentelemetry-proto export OPENTELEMETRY_PROTO_VERSION="v1.1.0" +# http://hg.nginx.org/njs +export NGINX_NJS_VERSION="0.8.4" + export BUILD_PATH=/tmp/build ARCH=$(uname -m) @@ -276,6 +279,9 @@ get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \ "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc" +get_src 8191bff8491af9169a92e30e383ef8614717b0c6d40913d83b95051031e92321 \ + "http://hg.nginx.org/njs/archive/${NGINX_NJS_VERSION}.tar.gz" "njs" + # improve compilation times CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) @@ -481,7 +487,8 @@ WITH_MODULES=" \ --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \ --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \ --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \ - --add-dynamic-module=$BUILD_PATH/ngx_brotli" + --add-dynamic-module=$BUILD_PATH/ngx_brotli \ + --add-dynamic-module=$BUILD_PATH/njs/nginx" ./configure \ --prefix=/usr/local/nginx \ From 2b14b3c020ad03fbaa3a29772cdf00bfc4102f91 Mon Sep 17 00:00:00 2001 From: Elizabeth Martin Campos Date: Sat, 23 Nov 2024 18:53:18 +0100 Subject: [PATCH 2/2] Replace auth cache key generation Lua impl with NJS impl --- rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js | 7 +++++++ rootfs/etc/nginx/template/nginx.tmpl | 9 +++++---- test/e2e/annotations/auth.go | 5 +---- test/e2e/settings/global_external_auth.go | 5 +---- 4 files changed, 14 insertions(+), 12 deletions(-) create mode 100644 rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js diff --git a/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js b/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js new file mode 100644 index 0000000000..aa45fe2cae --- /dev/null +++ b/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js @@ -0,0 +1,7 @@ +const crypto = require('crypto'); + +function cache_key(req) { + return crypto.createHash('sha1').update(req.variables.tmp_cache_key).digest('base64'); +} + +export default { cache_key }; diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index ad41ec7ee7..9717bfc657 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -74,6 +74,10 @@ http { init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua; + js_import /etc/nginx/js/nginx/ngx_conf_rewrite_auth.js; + + js_set $njs_cache_key ngx_conf_rewrite_auth.cache_key; + {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* we use the value of the real IP for the geo_ip module */}} {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }} @@ -988,9 +992,6 @@ stream { {{ if $externalAuth.AuthCacheKey }} set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}'; - set $cache_key ''; - - rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua; proxy_cache auth_cache; @@ -998,7 +999,7 @@ stream { proxy_cache_valid {{ $dur }}; {{- end }} - proxy_cache_key "$cache_key"; + proxy_cache_key "$njs_cache_key"; {{ end }} # ngx_auth_request module overrides variables in the parent request, diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index ddda1dce5f..51561fe658 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -21,7 +21,6 @@ import ( "fmt" "net/http" "net/url" - "regexp" "strings" "golang.org/x/crypto/bcrypt" @@ -341,11 +340,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - cacheRegex := regexp.MustCompile(`\$cache_key.*foo`) - f.WaitForNginxServer(host, func(server string) bool { - return cacheRegex.MatchString(server) && + return strings.Contains(server, "proxy_cache_key \"$njs_cache_key\";") && strings.Contains(server, `proxy_cache_valid 200 202 401 30m;`) }) }) diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go index f589a63e94..be717ab455 100644 --- a/test/e2e/settings/global_external_auth.go +++ b/test/e2e/settings/global_external_auth.go @@ -20,7 +20,6 @@ import ( "context" "fmt" "net/http" - "regexp" "strings" "github.com/onsi/ginkgo/v2" @@ -169,11 +168,9 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { globalExternalAuthURLSetting: globalExternalAuthURL, }) - cacheRegex := regexp.MustCompile(`\$cache_key.*foo`) - f.WaitForNginxServer(host, func(server string) bool { - return cacheRegex.MatchString(server) && + return strings.Contains(server, "proxy_cache_key \"$njs_cache_key\";") && strings.Contains(server, `proxy_cache_valid 200 201 401 30m;`) })