From ceabf5b11b10009df9bcfa3d876981f23b2fb3b1 Mon Sep 17 00:00:00 2001 From: Elizabeth Martin Campos Date: Sat, 23 Nov 2024 18:52:11 +0100 Subject: [PATCH 1/2] Add NJS module to Nginx --- images/nginx/rootfs/build.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 3baf775fca..bc8e688caf 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -106,6 +106,9 @@ export OPENTELEMETRY_CPP_VERSION="v1.11.0" # Check on https://github.com/open-telemetry/opentelemetry-proto export OPENTELEMETRY_PROTO_VERSION="v1.1.0" +# Check for recent changes: https://github.com/nginx/njs/compare/0.8.7...master +export NJS_VERSION="0.8.7" + export BUILD_PATH=/tmp/build ARCH=$(uname -m) @@ -414,6 +417,12 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf " > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf +# checkout njs module +cd "$BUILD_PATH" +git clone -n https://github.com/nginx/njs +cd njs/ +git checkout $NJS_VERSION + # build nginx cd "$BUILD_PATH/nginx-$NGINX_VERSION" @@ -478,6 +487,7 @@ WITH_MODULES=" \ --add-module=$BUILD_PATH/lua-nginx-module \ --add-module=$BUILD_PATH/stream-lua-nginx-module \ --add-module=$BUILD_PATH/lua-upstream-nginx-module \ + --add-module=$BUILD_PATH/njs/nginx \ --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \ --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \ --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \ From 8ed9770b32fa9253f4cb1bfe7e03ec65fe26bb2b Mon Sep 17 00:00:00 2001 From: Elizabeth Martin Campos Date: Sat, 23 Nov 2024 18:53:18 +0100 Subject: [PATCH 2/2] Replace auth cache key generation Lua impl with NJS impl --- rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js | 7 +++++++ rootfs/etc/nginx/template/nginx.tmpl | 9 +++++---- 2 files changed, 12 insertions(+), 4 deletions(-) create mode 100644 rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js diff --git a/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js b/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js new file mode 100644 index 0000000000..aa45fe2cae --- /dev/null +++ b/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js @@ -0,0 +1,7 @@ +const crypto = require('crypto'); + +function cache_key(req) { + return crypto.createHash('sha1').update(req.variables.tmp_cache_key).digest('base64'); +} + +export default { cache_key }; diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index ad41ec7ee7..9717bfc657 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -74,6 +74,10 @@ http { init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua; + js_import /etc/nginx/js/nginx/ngx_conf_rewrite_auth.js; + + js_set $njs_cache_key ngx_conf_rewrite_auth.cache_key; + {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* we use the value of the real IP for the geo_ip module */}} {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }} @@ -988,9 +992,6 @@ stream { {{ if $externalAuth.AuthCacheKey }} set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}'; - set $cache_key ''; - - rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua; proxy_cache auth_cache; @@ -998,7 +999,7 @@ stream { proxy_cache_valid {{ $dur }}; {{- end }} - proxy_cache_key "$cache_key"; + proxy_cache_key "$njs_cache_key"; {{ end }} # ngx_auth_request module overrides variables in the parent request,