1. Instalar nginx
Si lo instalamos en la máquina local
# 1. Instalar nginx en Ubuntu sudo apt update sudo apt install nginx # 2. Arrancar nginx sudo systemctl start nginx # 3. Verificar systemctl status nginx.service
Pero nos da el problema que elpuerto 80 ya está ocupado:
informatica@srv-glpi-16:~$ systemctl status nginx.service
× nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.serv
ice; enabled; preset: enabled)
Active: failed (Result: exit-code) since Wed 2025-09-24 11:58:58 CEST; 1min 18s ago
Docs: man:nginx(8)
Process: 73037 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCC
ESS)
Process: 73038 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILU
RE)
CPU: 11ms
Sep 24 11:58:56 srv-glpi-16 nginx[73038]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Sep 24 11:58:56 srv-glpi-16 nginx[73038]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Sep 24 11:58:57 srv-glpi-16 nginx[73038]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Sep 24 11:58:57 srv-glpi-16 nginx[73038]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Sep 24 11:58:57 srv-glpi-16 nginx[73038]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Sep 24 11:58:57 srv-glpi-16 nginx[73038]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Sep 24 11:58:58 srv-glpi-16 nginx[73038]: nginx: [emerg] still could not bind()
Sep 24 11:58:58 srv-glpi-16 systemd[1]: nginx.service: Control process exited, code=exited
, status=1/FAILURE
Sep 24 11:58:58 srv-glpi-16 systemd[1]: nginx.service: Failed with result 'exi
t-code'.
Sep 24 11:58:58 srv-glpi-16 systemd[1]: Failed to start nginx.service - A high performance
web server and a reverse proxy server.
Para ello hay que actuar sobre la configuración de nginx y utilizar otro puerto
Para ello buscamos donde puede estar la línea "listen 80"
# 1. Buscar la cadena "listen" en los ficheros de estos directorios
grep -R "listen" /etc/nginx/sites-enabled/ /etc/nginx/conf.d/
Y aparece el fichero "/etc/nginx/sites-enabled/default"
Lo modificamos con nano y cambiamos "80" por "8088"
# 1. Cambiamos 80por 8088
server {
listen 8088 default_server;
listen [::]:8088 default_server;
Y arrancamos el servicio de nginx y lo verificamos:
# 1. Arrancar nginx sudo systemctl start nginx # 2. Verificar systemctl status nginx.service
Y ya lo tenemos en marcha
2. Substituir nginx por openresty
Veamos los pasos a realizar según Cloudspinx:
#1. Bloquear nginxsudo systemctl disable nginxsudo systemctl stop nginx
#2. Instalar prerequisitossudo apt-get -y install --no-install-recommends wget gnupg ca-certificates lsb-release#3. Importar la clave GPG de descarga (para Ubuntu 22 +)wget -O - https://openresty.org/package/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/openresty.gpg#4. Añadir el repositorio en sistemas x86_64 or amd64 para Ubuntu 22 +echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/openresty.list > /dev/null#5. Actualizar el índice APTsudo apt-get update#6. Instalar el paquetesudo apt-get -y install openresty#6.1. Aquí da un error de que el puerto 80 está ocupado# Por tanto hay que entrar en /usr/local/openresty/nginx/conf/nginx.conf# y cambiar "listen 80;"# por "listen 8080;" u otro puerto que no esté pillado# y volver a ejecutar :# sudo apt-get -y install openresty#7. Verificar la instalación que debe devolver: nginx version: openresty/X.Y.Zopenresty -v#8. Arrancar/rearrancar/ para rel serviciosudo systemctl start openrestysudo systemctl restart openrestysudo systemctl stop openresty#9. Permitir el servicio al arrancar (boot)sudo systemctl enable openresty#10. Ver el estado del serviciosudo systemctl status openresty
Ojo, ahora el fichero de configuración esta en una de estas 2 carpetas:- /etc/openresty
- /usr/local/openresty
Y los logs están en:
- /usr/local/openresty/nginx/logs/error.log
- /etc/openresty
- /usr/local/openresty
Y los logs están en:
- /usr/local/openresty/nginx/logs/error.log
Y aparece el mismo error que el puerto 80 está ocupado (después del punto 6)
Para solucionarlo hay que ir al fichero de configuración y cambiar el listen 80 por el puerto 8088 en el fichero "/usr/local/openresty/nginx/conf/nginx.conf"
Para ver que funciona abrimos el navegador con esta direccion:
http://IP_SERVIDOR:8088/
y vemos que funciona
Y aparece el mismo error que el puerto 80 está ocupado (después del punto 6)
Para solucionarlo hay que ir al fichero de configuración y cambiar el listen 80 por el puerto 8088 en el fichero "/usr/local/openresty/nginx/conf/nginx.conf"
Para ver que funciona abrimos el navegador con esta direccion:
http://IP_SERVIDOR:8088/
y vemos que funciona
3. Instalación de luarocks
Luarocks es un paquete de instación de módulos Lua para openresty
Para instalarlo hacemos:
# 1.Prerequisitos
sudo apt install build-essential libreadline-dev unzip
# 2. Descargar
wget https://luarocks.org/releases/luarocks-3.12.2.tar.gz
# 3. Descomprimir
tar zxpf luarocks-3.12.2.tar.gz
# 4. Compilar e instalar
cd luarocks-3.12.2
sudo ./configure && make && sudo make install
sudo luarocks install luasocket
lua
# Debe de aparecerLua 5.4.7 Copyright (C) 1994-2024 Lua.org, PUC-Rio
# 1.Instalar paquetes.
# En este caso instala el paquete lua-python para poder ejecutar modulos python
sudo luarocks install lua-resty-http
sudo luarocks install lua-resty-openssl
sudo luarocks install lua-resty-iputils
# 2. Ver los módulos instalados
luarocks list
Veamos algunos usos de luarocks
A la hor de instalar lua han aparecido algunos problemas que se han solucionado con chatgpt
# 1.Prerequisitos
sudo apt install build-essential libreadline-dev unzip# 2. Descargarwget https://luarocks.org/releases/luarocks-3.12.2.tar.gz
# 3. Descomprimirtar zxpf luarocks-3.12.2.tar.gz
# 4. Compilar e instalarcd luarocks-3.12.2
sudo ./configure && make && sudo make install sudo luarocks install luasocket lua
# Debe de aparecerLua 5.4.7 Copyright (C) 1994-2024 Lua.org, PUC-Rio
4. Copiar los ficheros de configuración de openresty
Los ficheros a copiar al directorio /usr/local/openresty/nginx/conf són:
nginx.conf:
worker_processes auto;
#error_log logs/error.log;
error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
error_log /usr/local/openresty/nginx/logs/error.log info;
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
#--- BEGIN EDU
# Enable Lua shared dictionary for sessions
lua_shared_dict sessions 10m;
# Load the resty modules we need
lua_package_path '/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/5.1/?.lua;/usr/local/share/lua/5.1/resty/?.lua;/usr/local/openresty/lualib/?.lua;/usr/local/openresty/nginx/conf/?.lua;/usr/local/openresty/site/lualib/?.lua;/usr/local/openresty/site/lualib/resty/?.lua;;';
lua_package_cpath './?.so;/usr/local/lib/lua/5.1/?.so;/usr/lib/x86_64-linux-gnu/lua/5.1/?.so;/usr/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so;/home/eduard/.luarocks/lib/lua/5.1/?.so;;';
# Initialize the IP filter module at the http level
init_by_lua_block {
require("resty.core")
require("resty.iputils").enable_lrucache()
}
# Enable cache
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=100m inactive=60m use_temp_path=off;
# Creamos una bateria de servidores para softprop con un solo servidor
upstream softpropsrv {
server 192.168.10.5:5001;
#server edu.tavernes.es:5001;
#server 0.0.0.0:5001;
##server 127.0.0.1:5001;
##server el_que_sea.com;
}
# Hacemos un "rate limiting" para evitar un número de peticiones excesivas
# Define rate limit (10 requests per second, with a burst of 20) por IP
limit_req_zone $binary_remote_addr zone=my_api_limit:10m rate=10r/s;
#resolver 192.168.10.5; # Servidor de DNS
#--- END EDU
server {
#listen 8080;
listen 8449 ssl; #->New
server_name localhost;
#server_name edu.tavernes.es;
#charset koi8-r;
#access_log logs/host.access.log main;
#-> Begin new
# SSL certificate configuration
#ssl_certificate /usr/local/openresty/nginx/conf/wildcard2023Nginx.crt;
#ssl_certificate_key /usr/local/openresty/nginx/conf/wildcard2023Nginx.rsa;
ssl_certificate /usr/local/openresty/nginx/conf/wildcard.tavernes.es.crt;
ssl_certificate_key /usr/local/openresty/nginx/conf/wildcard.tavernes.es.key;
# Client certificate part
ssl_client_certificate /usr/local/openresty/nginx/conf/ca_all.cer; # Set of all the CA certrificates
ssl_verify_client on; # Require client certificate
ssl_verify_depth 2;
# Optional SSL settings for security and performance
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Common proxy settings (optional)
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
location / {
# Aplicamos el rate limiting a esta ruta
limit_req zone=my_api_limit burst=30 delay=10;
# Get info from client certificate
#proxy_pass https://0.0.0.0:5001/login; # Forward request to Python app
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
# Filter by UE country
content_by_lua_block{
local filter = require("eu_filter")
local client_ip = ngx.var.remote_addr
if not filter.filter() then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say("Access denied: Your location is not permitted.")
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
}
#root html;
#index index.html index.htm;
return 301 /login;
}
# Location of static files
location /static/ {
#1. Solo ficheros dentro del servidor openresty (nginx)
## Are good both root and alias, but in alias you must append "static/" to the path
##root /home/eduard/MyPython/11.softprop-01; # Path where static files are stored
#alias /home/eduard/MyPython/11.softprop-01/static/; # Path where static files are stored
## Use browser cache !!!
#expires max;
#access_log off;
#gzip on;
#gzip_types text/css application/javascript image/svg+xml;
#2. Solo ficheros dentro del uno de los servidores que actuan como web servers del upstream "softpropsrv"
proxy_pass https://softpropsrv/static/;
proxy_set_header Host $host;
proxy_ssl_verify off; # If using SSL
proxy_cache my_cache;
proxy_cache_valid 200 30d;
proxy_cache_use_stale error timeout updating;
add_header X-Cache-Status $upstream_cache_status;
}
# Serve the login form
location = /login {
include nginx.conf.login;
}
location = /initial {
include nginx.conf.initial;
}
# Protected proxy location
location /protected {
include nginx.conf.protected;
}
location /softprop {
# Timeout settings
# Problems with slow processes
#proxy_connect_timeout 90s; # Default is 60s
#proxy_send_timeout 90s; # Default is 60s
# Time for waiting a response
proxy_read_timeout 1000s; # Default is 60s
#send_timeout 90s; # Default is 60s
include nginx.conf.softprop;
}
#location = /success {
# include nginx.conf.success;
#}
location = /error {
include nginx.conf.error;
}
location = /logout {
include nginx.conf.logout;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
nging.conf.login
default_type text/html;
content_by_lua_block {
-- Check if already authenticated
-- local session_id = ngx.var.cookie_session_id
-- local tab_id = ngx.var.cookie_tab_id
-- local sessions = ngx.shared.sessions
-- local tabs = ngx.shared.tabs
-- if session_id and sessions:get(session_id) and tab_id and tabs:get(tab_id) then
-- return ngx.redirect("/protected/softprop/tree")
-- end
-- Helper function to read the entire content of a file.
local function read_file(filename)
local mypath="/usr/local/openresty/nginx/conf/"
local new_filename = mypath .. filename
local f, err = io.open(new_filename, "r")
if not f then
ngx.log(ngx.ERR, "failed to open file ", new_filename, ": ", err)
return nil
end
local content = f:read("*a")
f:close()
return content
end
-- End Helper function
-- Create the tab_id
--local resty_random = require "resty.random"
--local tab_id = ngx.encode_base64(resty_random.bytes(32))
local xmauth = require "xmauth"
local tab_id = xmauth.random_string(32)
local n = 0
-- Read content of three files into three string variables.
local form_style = read_file("form_style.css","r")
local form_script = read_file("form_script.js","r")
local form_body = read_file("form_body.html","r")
local login_form = [[
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
<style>
$STYLE$
</style
</head>
<body>
<script>
$SCRIPT$
</script>
$BODY$
</body>
</html>
]]
login_form, n =string.gsub(login_form, "%$STYLE%$" , form_style)
login_form, n =string.gsub(login_form, "%$SCRIPT%$", form_script)
form_body , n =string.gsub(form_body , "%$TAB_ID%$", tab_id)
login_form, n =string.gsub(login_form, "%$BODY%$" , form_body)
-- ngx.log(ngx.INFO, login_form)
ngx.say(login_form)
}
nginx.conf.initial
content_by_lua_block {
-- Get authentication credentials
ngx.req.read_body()
local args = ngx.req.get_post_args() or {}
local username = args["username"]
local password = args["password"]
local tab_id = args["tab_id"]
-- certificate info
-- local cert = ngx.var.ssl_client_cert
local cert_verify=ngx.var.ssl_client_verify
local cert_dn=ngx.var.ssl_client_s_dn
ngx.log(ngx.INFO, "initial username " .. username )
ngx.log(ngx.INFO, "initial password " .. password )
ngx.log(ngx.INFO, "initial tab_id " .. tab_id )
ngx.log(ngx.INFO, "initial cert_dn " .. cert_dn )
if not username or not password or not tab_id then
ngx.redirect("/login")
return
end
-- Create HTTP connection
ngx.log(ngx.INFO, "initial validating user to python service" )
local http = require "resty.http"
local cjson = require "cjson"
local httpc = http.new()
-- Connect to Python auth service
-- local res, err = httpc:request_uri("http://127.0.0.1:5000/auth", {
-- Per a que accepte un nom de domini (com "edu.tavernes.es" cal tenir
-- una sentencia "resolver IP_del_servidor_DNS".
-- sinó no pot trobar el domini. Per tant cal ficar directament la Ip
-- La sentencia següent no va, perquè bno troba "edu.tavernes.es"
-- local res, err = httpc:request_uri("https://edu.tavernes.es:5000/auth", {
local res, err = httpc:request_uri("https://192.168.10.5:5000/auth", {
method = "POST",
body = cjson.encode({
username = username,
password = password,
cert_verify = cert_verify,
cert_dn = cert_dn
}),
headers = {
["Content-Type"] = "application/json",
},
-- if we have problems with the certificates ???
ssl_verify = false -- Disable SSL verification (useful for self-signed certs)
})
ngx.log(ngx.INFO, "initial after validating user to python service" )
if not res then
ngx.log(ngx.ERR, "Failed to request: ", err)
ngx.redirect("/error")
return
end
local body = cjson.decode(res.body)
local body_json=cjson.encode(body)
ngx.log(ngx.INFO, "initial body=" .. body_json )
if body.authenticated then
--- ngx.redirect("/success")
--- ngx.redirect("https://www.gva.es")
-- Create session
local sessions = ngx.shared.sessions
--local resty_random = require "resty.random"
local xmauth = require "xmauth"
--local session_id = ngx.encode_base64(resty_random.bytes(32))
--local session_id = xmauth.random_string(32)
local my_data = { username = username }
local my_data_json = cjson.encode(my_data)
--sessions:set(session_id, my_data_json , 3600) -- 1 hour expiration
sessions:set(tab_id, my_data_json , 3600) -- 1 hour expiration
local user_tab = sessions:get(tab_id) or "5"
ngx.log(ngx.INFO,"Initail tab_id + user_tab: " .. tab_id .. ' ' .. user_tab)
-- Set session and tab_id cookies for authentication
ngx.header["Set-Cookie"] = {
-- "session_id=" .. my_data_json .. "; HttpOnly; Path=/",
tab_id .. "=" .. my_data_json .. "; HttpOnly; Path=/",
-- "username=" .. username .. "; HttpOnly; Path=/"
}
local cookies = ngx.header["Set-Cookie"]
if type(cookies) == "table" then
for _, cookie in ipairs(cookies) do
ngx.log(ngx.INFO,"Set-Cookie Header: " .. cookie)
end
else
ngx.log(ngx.INFO,"Set-Cookie Header: " .. cookies)
end
--ngx.log(ngx.INFO, "initial redirecting to /protected/softprop/tree" )
ngx.log(ngx.INFO, "initial redirecting to /softprop/tree" )
-- Redirect to protected area
--local my_url="/protected/softprop/tree?tab_id=" .. ngx.escape_uri(tab_id)
-- Redirect to softprop instead of protected area
local my_url="/softprop/tree?tab_id=" .. ngx.escape_uri(tab_id)
ngx.log(ngx.INFO, "initial my_url=" .. my_url)
return ngx.redirect(my_url)
else
ngx.redirect("/error")
end
}
nginx.conf.protected
worker_processes auto; #error_log logs/error.log; error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; error_log /usr/local/openresty/nginx/logs/error.log info; access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; #--- BEGIN EDU # Enable Lua shared dictionary for sessions lua_shared_dict sessions 10m; # Load the resty modules we need lua_package_path '/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/5.1/?.lua;/usr/local/share/lua/5.1/resty/?.lua;/usr/local/openresty/lualib/?.lua;/usr/local/openresty/nginx/conf/?.lua;/usr/local/openresty/site/lualib/?.lua;/usr/local/openresty/site/lualib/resty/?.lua;;'; lua_package_cpath './?.so;/usr/local/lib/lua/5.1/?.so;/usr/lib/x86_64-linux-gnu/lua/5.1/?.so;/usr/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so;/home/eduard/.luarocks/lib/lua/5.1/?.so;;'; # Initialize the IP filter module at the http level init_by_lua_block { require("resty.core") require("resty.iputils").enable_lrucache() } # Enable cache proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=100m inactive=60m use_temp_path=off; # Creamos una bateria de servidores para softprop con un solo servidor upstream softpropsrv { server 192.168.10.5:5001; #server edu.tavernes.es:5001; #server 0.0.0.0:5001; ##server 127.0.0.1:5001; ##server el_que_sea.com; } # Hacemos un "rate limiting" para evitar un número de peticiones excesivas # Define rate limit (10 requests per second, with a burst of 20) por IP limit_req_zone $binary_remote_addr zone=my_api_limit:10m rate=10r/s; #resolver 192.168.10.5; # Servidor de DNS #--- END EDU server { #listen 8080; listen 8449 ssl; #->New server_name localhost; #server_name edu.tavernes.es; #charset koi8-r; #access_log logs/host.access.log main; #-> Begin new # SSL certificate configuration #ssl_certificate /usr/local/openresty/nginx/conf/wildcard2023Nginx.crt; #ssl_certificate_key /usr/local/openresty/nginx/conf/wildcard2023Nginx.rsa; ssl_certificate /usr/local/openresty/nginx/conf/wildcard.tavernes.es.crt; ssl_certificate_key /usr/local/openresty/nginx/conf/wildcard.tavernes.es.key; # Client certificate part ssl_client_certificate /usr/local/openresty/nginx/conf/ca_all.cer; # Set of all the CA certrificates ssl_verify_client on; # Require client certificate ssl_verify_depth 2; # Optional SSL settings for security and performance ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; # Common proxy settings (optional) proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; location / { # Aplicamos el rate limiting a esta ruta limit_req zone=my_api_limit burst=30 delay=10; # Get info from client certificate #proxy_pass https://0.0.0.0:5001/login; # Forward request to Python app proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_set_header X-SSL-Client-Verify $ssl_client_verify; proxy_set_header X-SSL-Client-DN $ssl_client_s_dn; proxy_set_header X-SSL-Client-Serial $ssl_client_serial; # Filter by UE country content_by_lua_block{ local filter = require("eu_filter") local client_ip = ngx.var.remote_addr if not filter.filter() then ngx.status = ngx.HTTP_FORBIDDEN ngx.say("Access denied: Your location is not permitted.") return ngx.exit(ngx.HTTP_FORBIDDEN) end } #root html; #index index.html index.htm; return 301 /login; } # Location of static files location /static/ { #1. Solo ficheros dentro del servidor openresty (nginx) ## Are good both root and alias, but in alias you must append "static/" to the path ##root /home/eduard/MyPython/11.softprop-01; # Path where static files are stored #alias /home/eduard/MyPython/11.softprop-01/static/; # Path where static files are stored ## Use browser cache !!! #expires max; #access_log off; #gzip on; #gzip_types text/css application/javascript image/svg+xml; #2. Solo ficheros dentro del uno de los servidores que actuan como web servers del upstream "softpropsrv" proxy_pass https://softpropsrv/static/; proxy_set_header Host $host; proxy_ssl_verify off; # If using SSL proxy_cache my_cache; proxy_cache_valid 200 30d; proxy_cache_use_stale error timeout updating; add_header X-Cache-Status $upstream_cache_status; } # Serve the login form location = /login { include nginx.conf.login; } location = /initial { include nginx.conf.initial; } # Protected proxy location location /protected { include nginx.conf.protected; } location /softprop { # Timeout settings # Problems with slow processes #proxy_connect_timeout 90s; # Default is 60s #proxy_send_timeout 90s; # Default is 60s # Time for waiting a response proxy_read_timeout 1000s; # Default is 60s #send_timeout 90s; # Default is 60s include nginx.conf.softprop; } #location = /success { # include nginx.conf.success; #} location = /error { include nginx.conf.error; } location = /logout { include nginx.conf.logout; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
default_type text/html; content_by_lua_block { -- Check if already authenticated -- local session_id = ngx.var.cookie_session_id -- local tab_id = ngx.var.cookie_tab_id -- local sessions = ngx.shared.sessions -- local tabs = ngx.shared.tabs -- if session_id and sessions:get(session_id) and tab_id and tabs:get(tab_id) then -- return ngx.redirect("/protected/softprop/tree") -- end -- Helper function to read the entire content of a file. local function read_file(filename) local mypath="/usr/local/openresty/nginx/conf/" local new_filename = mypath .. filename local f, err = io.open(new_filename, "r") if not f then ngx.log(ngx.ERR, "failed to open file ", new_filename, ": ", err) return nil end local content = f:read("*a") f:close() return content end -- End Helper function -- Create the tab_id --local resty_random = require "resty.random" --local tab_id = ngx.encode_base64(resty_random.bytes(32)) local xmauth = require "xmauth" local tab_id = xmauth.random_string(32) local n = 0 -- Read content of three files into three string variables. local form_style = read_file("form_style.css","r") local form_script = read_file("form_script.js","r") local form_body = read_file("form_body.html","r") local login_form = [[ <!DOCTYPE html> <html> <head> <title>Login</title> <style> $STYLE$ </style </head> <body> <script> $SCRIPT$ </script> $BODY$ </body> </html> ]] login_form, n =string.gsub(login_form, "%$STYLE%$" , form_style) login_form, n =string.gsub(login_form, "%$SCRIPT%$", form_script) form_body , n =string.gsub(form_body , "%$TAB_ID%$", tab_id) login_form, n =string.gsub(login_form, "%$BODY%$" , form_body) -- ngx.log(ngx.INFO, login_form) ngx.say(login_form) }
content_by_lua_block { -- Get authentication credentials ngx.req.read_body() local args = ngx.req.get_post_args() or {} local username = args["username"] local password = args["password"] local tab_id = args["tab_id"] -- certificate info -- local cert = ngx.var.ssl_client_cert local cert_verify=ngx.var.ssl_client_verify local cert_dn=ngx.var.ssl_client_s_dn ngx.log(ngx.INFO, "initial username " .. username ) ngx.log(ngx.INFO, "initial password " .. password ) ngx.log(ngx.INFO, "initial tab_id " .. tab_id ) ngx.log(ngx.INFO, "initial cert_dn " .. cert_dn ) if not username or not password or not tab_id then ngx.redirect("/login") return end -- Create HTTP connection ngx.log(ngx.INFO, "initial validating user to python service" ) local http = require "resty.http" local cjson = require "cjson" local httpc = http.new() -- Connect to Python auth service -- local res, err = httpc:request_uri("http://127.0.0.1:5000/auth", { -- Per a que accepte un nom de domini (com "edu.tavernes.es" cal tenir -- una sentencia "resolver IP_del_servidor_DNS". -- sinó no pot trobar el domini. Per tant cal ficar directament la Ip -- La sentencia següent no va, perquè bno troba "edu.tavernes.es" -- local res, err = httpc:request_uri("https://edu.tavernes.es:5000/auth", { local res, err = httpc:request_uri("https://192.168.10.5:5000/auth", { method = "POST", body = cjson.encode({ username = username, password = password, cert_verify = cert_verify, cert_dn = cert_dn }), headers = { ["Content-Type"] = "application/json", }, -- if we have problems with the certificates ??? ssl_verify = false -- Disable SSL verification (useful for self-signed certs) }) ngx.log(ngx.INFO, "initial after validating user to python service" ) if not res then ngx.log(ngx.ERR, "Failed to request: ", err) ngx.redirect("/error") return end local body = cjson.decode(res.body) local body_json=cjson.encode(body) ngx.log(ngx.INFO, "initial body=" .. body_json ) if body.authenticated then --- ngx.redirect("/success") --- ngx.redirect("https://www.gva.es") -- Create session local sessions = ngx.shared.sessions --local resty_random = require "resty.random" local xmauth = require "xmauth" --local session_id = ngx.encode_base64(resty_random.bytes(32)) --local session_id = xmauth.random_string(32) local my_data = { username = username } local my_data_json = cjson.encode(my_data) --sessions:set(session_id, my_data_json , 3600) -- 1 hour expiration sessions:set(tab_id, my_data_json , 3600) -- 1 hour expiration local user_tab = sessions:get(tab_id) or "5" ngx.log(ngx.INFO,"Initail tab_id + user_tab: " .. tab_id .. ' ' .. user_tab) -- Set session and tab_id cookies for authentication ngx.header["Set-Cookie"] = { -- "session_id=" .. my_data_json .. "; HttpOnly; Path=/", tab_id .. "=" .. my_data_json .. "; HttpOnly; Path=/", -- "username=" .. username .. "; HttpOnly; Path=/" } local cookies = ngx.header["Set-Cookie"] if type(cookies) == "table" then for _, cookie in ipairs(cookies) do ngx.log(ngx.INFO,"Set-Cookie Header: " .. cookie) end else ngx.log(ngx.INFO,"Set-Cookie Header: " .. cookies) end --ngx.log(ngx.INFO, "initial redirecting to /protected/softprop/tree" ) ngx.log(ngx.INFO, "initial redirecting to /softprop/tree" ) -- Redirect to protected area --local my_url="/protected/softprop/tree?tab_id=" .. ngx.escape_uri(tab_id) -- Redirect to softprop instead of protected area local my_url="/softprop/tree?tab_id=" .. ngx.escape_uri(tab_id) ngx.log(ngx.INFO, "initial my_url=" .. my_url) return ngx.redirect(my_url) else ngx.redirect("/error") end }
#root /home/eduard/MyPython/05.fasthtml/menus; # Base directory for static files access_by_lua_block { local xmauth = require "xmauth" local tab_id = ngx.var.arg_tab_id -- Get the 'tab_id' parameter if not tab_id then ngx.log(ngx.INFO, "nginx.conf.protected: 1 NO parameter tab_id") return ngx.redirect("/login") end ngx.log(ngx.INFO, "nginx.conf.protected: 2 parameter tab_id= '" .. tab_id ) local user = xmauth.is_authenticated(tab_id) if not user then ngx.log(ngx.INFO, "nginx.conf.protected: 3 NO user") return ngx.redirect("/login") end -- If the user is authenticated, you can proceed: -- ngx.say("Welcome, " .. user .. "!") ngx.log(ngx.INFO, "Protected: Welcome authenticated," .. user .. "!") return ngx.redirect("/login") } # Remove /protected from the forwarded URI #rewrite ^/protected/(.*) /$1 break; rewrite ^/protected/(.*) /$1 redirect; #include nginx.conf.softprop; #proxy_pass http://softpropsrv; # Forward to a backend if needed
nginx.conf.error
default_type text/html; content_by_lua_block { local error_page = [[ <!DOCTYPE html> <html> <head> <title>Error</title> <style> body { font-family: Arial, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background-color: #f0f2f5; } .error-container { background: white; padding: 20px; border-radius: 8px; box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1); text-align: center; color: #f44336; } .back-button { margin-top: 15px; padding: 8px 16px; background-color: #f44336; color: white; border: none; border-radius: 4px; text-decoration: none; display: inline-block; } .back-button:hover { background-color: #da190b; } </style> </head> <body> <div class="error-container"> <h2>Authentication Failed</h2> <p>Invalid username or password.</p> <a href="/login" class="back-button">Try Again</a> </div> </body> </html> ]] ngx.say(error_page) }
nginx.conf.softprop
access_by_lua_block { local url = ngx.var.request_uri ngx.log (ngx.INFO, "nginx.conf - location /softprop: 0 The current URL is: " .. url) local xmauth = require "xmauth" local tab_id = ngx.var.arg_tab_id -- Get the 'tab_id' parameter if tab_id then tab_id= tab_id:gsub("[^%w]","") ngx.log(ngx.INFO, "0. tab_id=" .. tab_id .. "0") end if url ~= "/softprop/login" then if not tab_id then -- Test if the tab_id is a post parameter local method = ngx.req.get_method() if method == "POST" then -- Read request body ngx.req.read_body() local post_args = ngx.req.get_post_args() -- Get POST parameters ngx.log(ngx.INFO, "nginx.conf - AAAAA-> post_args",table.concat(post_args, ", ")) local body_data = ngx.req.get_body_data() ngx.log(ngx.INFO, "nginx.conf - BBBBB-> body_data",body_data) -- 1. Assume the `hx-vals` passed a parameter named "tab_id" tab_id = post_args["tab_id"] if tab_id then tab_id= tab_id:gsub("[^%w]","") ngx.log(ngx.INFO, "1. tab_id=" .. tab_id .. "1") end -- 2. Maybe the it is a multipart/form-data if not tab_id and body_data then tab_id = body_data:match('name="tab_id"%s*(.-)%-%-') if tab_id then tab_id= tab_id:gsub("[^%w]","") ngx.log(ngx.INFO, "2. tab_id=" .. tab_id .. "2") end end end if not tab_id then ngx.log(ngx.INFO, "nginx.conf - location /softprop: 1 NO parameter tab_id redirecting to /login") return ngx.redirect("/login") end end --else ngx.log(ngx.INFO, "nginx.conf - location /softprop: 2 parameter tab_id= " .. tab_id ) local user = xmauth.is_authenticated(tab_id) if not user then ngx.log(ngx.INFO, "nginx.conf - location /softprop: 3 NO user redirectiong to /login") return ngx.redirect("/login") else -- If the user is authenticated, you can proceed: -- ngx.say("Welcome, " .. user .. "!") ngx.log(ngx.INFO, "/SOFTPROP: Welcome authenticated," .. user .. "!") end --end else ngx.log(ngx.INFO, "/SOFTPROP: Anem a /softprop/login per autehenticar-nos al python !") end } # Proxy to the backend server with the decoded path #proxy_pass http://0.0.0.0:5001; #proxy_pass http://softpropsrv; proxy_pass https://softpropsrv; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Ensure redirects from the backend work properly #proxy_redirect http://127.0.0.1:5001/ /;
nginx.conf.error:
default_type text/html; content_by_lua_block { local error_page = [[ <!DOCTYPE html> <html> <head> <title>Error</title> <style> body { font-family: Arial, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background-color: #f0f2f5; } .error-container { background: white; padding: 20px; border-radius: 8px; box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1); text-align: center; color: #f44336; } .back-button { margin-top: 15px; padding: 8px 16px; background-color: #f44336; color: white; border: none; border-radius: 4px; text-decoration: none; display: inline-block; } .back-button:hover { background-color: #da190b; } </style> </head> <body> <div class="error-container"> <h2>Authentication Failed</h2> <p>Invalid username or password.</p> <a href="/login" class="back-button">Try Again</a> </div> </body> </html> ]] ngx.say(error_page) }
nginx.conf.logout:
content_by_lua_block { local session_store = ngx.shared.sessions local tab_id = ngx.var.cookie_tab_id -- local session_id = ngx.var.http_cookie and ngx.var.http_cookie:match("session=([^;]+)") -- if session_id then if tab_id then session_store:delete(tab_id) ngx.header["Set-Cookie"] = "tab_id=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT" end ngx.redirect("/login") }
5. Copiar los certificados
ca_all.cer, widlcard*
6. Rearrancar el sistema
sudo systemctl restart openresty
y vamos a https://IP_SERVIDOR:8449/softprop/openresty y nos pide un certificado para acceder
No hay comentarios :
Publicar un comentario