openresty+lua做接口调用权限限制
说明:openresty可以理解为一个服务器它将nginx的核心包含了过来,并结合lua脚本语言实现一些对性能要求高的功能,该篇文章介绍了使用openresty
1.purview.lua
--调用json公共组件 cjson = require("cjson") fun = require("ttq.fun") -- 引用公用方法文件 conf = require("ttq.ini") --引用配置文件 reds = require("ttq.redis_pool") --引用redis连接池 mysqld = require("ttq.mysql_pool") --引用mysql连接池 --参数校验 check_arg = fun:check_post_arg() --调用参数校验方法 arg_tables = {} --存储post的参数信息 if check_arg['status'] ==0 then --参数校验通过,获取返回的参数,并将参数拼接 arg_tables= check_arg['arg_tables'] get_info = string.format("%s:%s:%s",arg_tables['appid'],arg_tables['ip'],arg_tables['appkey']) else ngx.say(fun:resJson(-1,check_arg['msg'])) return; end --1.首先通过redis查找 --2.没有找到再找数据库 --3.根据appid查询项目是否授权 --4.项目获取权限成功,再查询ip是否被限制了 local res,err,value = reds:get_key(get_info) if not res then ngx.say(fun:resJson(-1,err)) return end if value == ngx.null then --redis数据未空,根据appid查询,查询信息是否一致 local sql_appid = string.format("select * from ttq_appid_list where appid= '%s' and appkey='%s' limit 1 ",arg_tables['appid'],arg_tables['appkey']) local res,msg,result = mysqld:query(sql_appid) --连接失败报错 if not res then ngx.say(fun:resJson(-1,msg)) end --未查找数据报错 if table.maxn(result)== 0 then ngx.say(fun:resJson(-1,'appid验证失败,被拦截')) return end --项目权限获取成功,需要验证ip是否被允许 local sql = string.format("select * from ttq_appid_white_list where appid='%s' and ip= '%s' limit 1 ",arg_tables['appid'],arg_tables['ip']) res,msg,result = mysqld:query(sql) if table.maxn(result)==0 then ngx.say(fun:resJson(-1,'该项目,非法操作或没有授予权限,被拦截')) return end --所有验证通过,最后写入redis缓存 ok, err = reds:set_key(get_info,1) ngx.say(fun:resJson(0,'该项目鉴权成功,可以访问')); return end --3.redis找到了信息鉴权成功 ngx.say(fun:resJson(0,"该项目鉴权成功,可以访问!"))
2.ini.lua
--配置相关方法 local _CONF = {} --返回redis配置文件 function _CONF.redis() local redis_config = {host='127.0.0.1',pass='123456',port=6379} --redis配置项 return redis_config end --返回mysql配置文件 function _CONF.mysql() local mysql_config = {host='127.0.0.1',port=3306,database='test',user='root',password='123456'} --mysql的配置项 return mysql_config end return _CONF
3.mysql_pool.lua
--连接mysql local mysql = require "resty.mysql" local mysql_pool = {} function mysql_pool:get_connect() if ngx.ctx[mysql_pool] then return true,'返回mysql连接池成功',ngx.ctx[mysql_pool] end local db, err_mysql = mysql:new() if not db then return false,"failed to instantiate mysql" end db:set_timeout(1000) -- 1 sec local ok, err_mysql, errno, sqlstate = db:connect{ host = conf.mysql()['host'], port = conf.mysql()['port'], database = conf.mysql()['database'], user = conf.mysql()['user'], password = conf.mysql()['password'], max_packet_size = 1024 * 1024 } if not ok then --ngx.say(fun.resJson(-1,"mysql connect failed")) return false,"mysql conncet failed" end --存储mysql连接池并返回 ngx.ctx[mysql_pool] = db return true,'mysql连接成功',ngx.ctx[mysql_pool] end --关闭mysql连接池 function mysql_pool:close() if ngx.ctx[mysql_pool] then ngx.ctx[mysql_pool]:set_keepalive(60000, 1000) ngx.ctx[mysql_pool] = nil end end --执行sql查询 function mysql_pool:query(sql) --ngx.say(sql) local ret,msg,client = self:get_connect() --连接数据库失败,返回错误信息 if not ret then return false,msg end --连接成功后执行sql查询,执行失败返回错误信息 local res,errmsg,errno,sqlstate = client:query(sql) --self:close() if not res then return false,errmsg end --ngx.say(res[1]['appid']) --ngx.say(res[1]['ip']) --执行成功,返回信息 return true,"查询信息成功",res end return mysql_pool
4.redis_pool.lua
local redis = require("resty.redis") local redis_pool = {} --连接redis function redis_pool:get_connect() if ngx.ctx[redis_pool] then return true,"redis连接成功",ngx.ctx[redis_pool] end local red = redis:new() red:set_timeout(1000) -- 1 sec local ok, err = red:connect(conf.redis()['host'],conf.redis()['port']) if not ok then return false,"failed to connect redis" end --设置redis密码 local count, err = red:get_reused_times() if 0 == count then ok, err = red:auth(conf.redis()['pass']) if not ok then return false,"redis failed to auth" end elseif err then return false,"redis failed to get reused times" end --选择redis数据库 ok, err = red:select(0) if not ok then return false,"redis connect failed " end --建立redis连接池 ngx.ctx[redis_pool] = red return true,'redis连接成功',ngx.ctx[redis_pool] end --关闭连接池 function redis_pool:close() if ngx.ctx[redis_pool] then ngx.ctx[redis_pool]:set_keepalive(60000, 300) ngx.ctx[redis_pool] = nil end end ---获取key的值 function redis_pool:get_key(str) local res,err,client = self:get_connect() if not res then return false,err end local keys = client:get(str) --self:close() return true,"获取key成功",keys end --设置key的值 function redis_pool:set_key(str,value) local res,err,client = self:get_connect() if not res then return false,err end client:set(str,value) --self:close() return true,"成功设置key" end return redis_pool
5.fun.lua
local _M = {} --返回json信息公用方法 function _M:resJson(status,mes) local arr_return = {} arr_return['status'] = status arr_return['msg'] = mes return cjson.encode(arr_return) end --字符串按指定字符拆分公用方法 function _M:lua_string_split(str, split_char) local sub_str_tab = {}; while (true) do local pos = string.find(str, split_char); if (not pos) then local size_t = table.getn(sub_str_tab) table.insert(sub_str_tab,size_t+1,str); break; end local sub_str = string.sub(str, 1, pos - 1); local size_t = table.getn(sub_str_tab) table.insert(sub_str_tab,size_t+1,sub_str); local t = string.len(str); str = string.sub(str, pos + 1, t); end return sub_str_tab; end --检测post过来的参数合法性 function _M:check_post_arg() local rule_count = 3 --接收POST过来的数据 ngx.req.read_body() local arg = ngx.req.get_post_args() local arg_count = 0 --存储参数个数 local arg_table = {appid,ip,appkey} local get_info --参数拼接字符串,方便redis操作 --遍历post过来的参数 for k,v in pairs(arg) do arg_count = arg_count+1 arg_table[k] = v end --参数赋值 appid = arg_table['appid'] ip = arg_table['ip'] appkey = arg_table['appkey'] --判断参数个数传递过来的参数要与规定的个数一致 if rule_count == arg_count then if string.len(appid) == 0 then return {status=-1,msg='参数传递错误,被拦截'} end if string.len(ip) == 0 then return {status=-1,msg='参数传递错误,被拦截'} end if string.len(appkey) == 0 then return {status=-1,msg='参数传递错误,被拦截'} end ---参数正确返回参数信息 return {status=0,msg='参数校验成功',arg_tables=arg_table} else return {status=-1,msg='参数传递错误,被拦截'} end end return _M
6.配置nginx.conf文件
上面的lua文件都是放在/data/local/openresty/lualib/ttq/目录下
location /lua{
lua_code_cache on;
content_by_lua_file /data/local/openresty/lualib/ttq/purview.lua;
}
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 8083; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #默认读取body #lua_need_request_body_on; location /lua{ #default_type text/plain; default_type 'text/html'; #content_by_lua_file /data/luacode/demo.lua; #content_by_lua 'ngx.say("fsjfssfl")'; # content_by_lua_block{ #ngx.say("ok"); #local data = ngx.req.get_body_data() #ngx.say("hello",data); #} lua_code_cache on; content_by_lua_file /data/wwwroot/gitwork/learning/luacode/purview.lua; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
7.mysql数据设计
/* Navicat MySQL Data Transfer Source Server : 172.168.6.6 Source Server Version : 50622 Source Host : 172.168.6.6:3306 Source Database : ttq_user_center Target Server Type : MYSQL Target Server Version : 50622 File Encoding : 65001 Date: 2016-06-21 13:43:41 */ SET FOREIGN_KEY_CHECKS=0; -- ---------------------------- -- Table structure for `ttq_appid_list` -- ---------------------------- DROP TABLE IF EXISTS `ttq_appid_list`; CREATE TABLE `ttq_appid_list` ( `id` int(4) unsigned NOT NULL AUTO_INCREMENT, `appid` varchar(20) NOT NULL DEFAULT 'appid相当于项目名称', `appkey` varchar(20) NOT NULL COMMENT 'appid密码', `create_time` int(11) NOT NULL COMMENT '生产appid时间', PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='项目appid对应关系表'; -- ---------------------------- -- Records of ttq_appid_list -- ---------------------------- -- ---------------------------- -- Table structure for `ttq_appid_white_list` -- ---------------------------- DROP TABLE IF EXISTS `ttq_appid_white_list`; CREATE TABLE `ttq_appid_white_list` ( `id` int(10) unsigned NOT NULL AUTO_INCREMENT, `appid` char(20) NOT NULL COMMENT '项目标示或名称', `ip` varchar(15) NOT NULL COMMENT '项目允许访问对应的ip地址', PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='项目权限表'; -- ---------------------------- -- Records of ttq_appid_white_list -- ----------------------------
8.访问方法
<form action="http://192.168.3.128:8083/lua" method="post">
<input type="text" name="appid" value='ttq'></input>
<input type="text" name="ip" value='192.168.3.2'></input>
<input type="text" name="appkey" value='67872'></input>
<input type="submit" value="鉴权check"></input>
</form>
9.压力测试
压力测试效果非常可观
qps可以达到2225