Closed selmertsx closed 5 years ago
https://github.com/openresty/docker-openresty#opm
この資料を読むと下記のように書いてある。
Starting at version 1.11.2.2, OpenResty for Linux includes a package manager called opm, which can be found at /usr/local/openresty/bin/opm.
opm is built in all the images except alpine and stretch
opmはすでに入っているようだ。
nginxのDockerfileを↓のように書き換えた。
FROM openresty/openresty:1.13.6.2-0-centos
RUN rm -f /etc/nginx/conf.d/*
ADD conf.d/app.conf /etc/nginx/conf.d/app.conf
RUN opm install zmartzone/lua-resty-openidc
CMD ["/usr/bin/openresty", "-g", "daemon off;"]
* Fetching zmartzone/lua-resty-openidc
Downloading https://opm.openresty.org/api/pkg/tarball/zmartzone/lua-resty-openidc-1.6.1.opm.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 24740 100 24740 0 0 43487 0 --:--:-- --:--:-- --:--:-- 43556
* Fetching pintsized/lua-resty-http >= 0.08
Downloading https://opm.openresty.org/api/pkg/tarball/pintsized/lua-resty-http-0.12.opm.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 19953 100 19953 0 0 35959 0 --:--:-- --:--:-- --:--:-- 36016
Package pintsized/lua-resty-http 0.12 installed successfully under /usr/local/openresty/site/ .
* Fetching cdbattags/lua-resty-jwt >= 0.2.0
Downloading https://opm.openresty.org/api/pkg/tarball/cdbattags/lua-resty-jwt-0.2.0.opm.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 26288 100 26288 0 0 46202 0 --:--:-- --:--:-- --:--:-- 46281
* Fetching jkeys089/lua-resty-hmac >= 0.02
Downloading https://opm.openresty.org/api/pkg/tarball/jkeys089/lua-resty-hmac-0.02.opm.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5083 100 5083 0 0 11358 0 --:--:-- --:--:-- --:--:-- 11371
* Fetching openresty/lua-resty-string >= 0.08
Downloading https://opm.openresty.org/api/pkg/tarball/openresty/lua-resty-string-0.11.opm.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6144 100 6144 0 0 13551 0 --:--:-- --:--:-- --:--:-- 13562
Package openresty/lua-resty-string 0.11 installed successfully under /usr/local/openresty/site/ .
Package jkeys089/lua-resty-hmac 0.02 installed successfully under /usr/local/openresty/site/ .
Package cdbattags/lua-resty-jwt 0.2.0 installed successfully under /usr/local/openresty/site/ .
* Fetching bungle/lua-resty-session >= 2.8
Downloading https://opm.openresty.org/api/pkg/tarball/bungle/lua-resty-session-2.22.opm.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 34274 100 34274 0 0 54301 0 --:--:-- --:--:-- --:--:-- 54231
Package lua-resty-string-0.11 already installed.
Package bungle/lua-resty-session 2.22 installed successfully under /usr/local/openresty/site/ .
Package zmartzone/lua-resty-openidc 1.6.1 installed successfully under /usr/local/openresty/site/ .
install できてることの検証ってどうすれば良いんだろ... https://github.com/pintsized/lua-resty-http これ試すかぁ
local http = require "resty.http"
local httpc = http.new()
local res, err = httpc:request_uri("http://selmertsx.hatenablog.com/", {
method = "GET",
headers = {
["Content-Type"] = "application/x-www-form-urlencoded",
}
})
ngx.say(res.body)
↑で動くことを確認した。https接続をしようとすると下記のエラー。
pomodoro-web | 2018/07/09 04:57:53 [crit] 95#95: *34 connect() to [2404:6800:4004:80a::2003]:443 failed (99: Cannot assign requested address), client: 172.19.0.1, server: localhost, request: "GET /test HTTP/1.1", host: "127.0.0.1:8080"
pomodoro-web | 172.19.0.1 - - [09/Jul/2018:04:57:53 +0000] "GET /test HTTP/1.1" 200 62 "-" "curl/7.54.0"
https://github.com/pintsized/lua-resty-http/issues/42#issuecomment-359959429
pomodoro-web | 2018/07/09 05:22:28 [crit] 11#11: *4 connect() to [2404:6800:4004:80a::2003]:443 failed (99: Cannot assign requested address), client: 172.19.0.1, server: localhost, request: "GET /test HTTP/1.1", host: "127.0.0.1:8080"
pomodoro-web | 2018/07/09 05:25:30 [error] 11#11: *7 lua ssl certificate verify error: (20: unable to get local issuer certificate), client: 172.19.0.1, server: localhost, request: "GET /test HTTP/1.1", host: "127.0.0.1:8080"
pomodoro-web | 172.19.0.1 - - [09/Jul/2018:05:25:30 +0000] "GET /test HTTP/1.1" 200 73 "-" "curl/7.54.0"
また違う感じのエラーが出た。
https://github.com/zmartzone/lua-resty-openidc これを見ると、下記の設定が必要になる。
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;
このあたりのdirectiveを理解できるようにしないと。
nginxのcontainerに証明書存在した
➜ pomodoro git:(master) ✗ docker exec -it pomodoro-web /bin/bash
[root@bba9dae7baca /]# ls -al /etc/ssl/certs/
total 8
drwxr-xr-x 2 root root 4096 Apr 2 18:38 .
drwxr-xr-x 5 root root 4096 Apr 2 18:38 ..
lrwxrwxrwx 1 root root 49 Apr 2 18:38 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root 55 Apr 2 18:38 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
ということで、一旦https接続までできるようになったので、次に進む。
local opts = {
redirect_uri_path = "/",
discovery = "xxx",
client_id = "xxx",
client_secret = "xxx",
}
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 500
ngx.say(err)
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
ngx.req.set_header("X-USER", res.id_token.sub)
pomodoro-web | 2018/07/09 10:22:04 [debug] 45#45: *21 [lua] openidc.lua:488: openidc_discover(): response data: {"authorization_endpoint":"xxx....."}
pomodoro-web | 2018/07/09 10:22:04 [error] 45#45: *21 [lua] openidc.lua:495: openidc_discover(): issuer field in Discovery data does not match URL, client: 172.19.0.1, server: localhost, request: "GET /test HTTP/1.1", host: "127.0.0.1:8080"
というわけで取りにいったけど、issuerの値がおかしいよ。って言われた。
とりあえず nginx と luaに環境変数渡してゴニョゴニョするところまではやる。
luaに環境変数を渡したい
https://stackoverflow.com/questions/39168380/nginx-env-directive-is-not-allowed-here https://qiita.com/catatsuy/items/696d8535de03d8c22a8b
一旦、こんなところか。ここまでやっていこう。
http://devdocs.io/nginx_lua_module/#system-environment-variable-support
nginx.confに載せろよ。って書いてある。
僕が利用している docker-openresty のconfはこんな感じ。 https://github.com/openresty/docker-openresty/blob/master/nginx.conf
これを書き換えれば良さそう。
https://github.com/openresty/docker-openresty/blob/master/centos/Dockerfile#L57
貼り付ける先はここっぽい。
一旦動くとこまで行ったのでclose