Nginx API authentication is easy to implement

Nginx itself is an excellent HTTP server, in addition to the application server (such as API) can be combined to separate independent business (such as authentication), so that the application server becomes more flexible and powerful. In this paper, we will demonstrate the extensibility capability of nginx with practical examples .

0. Requirements: interface for implementing a movie list

The server programmer has written an interface to provide other people calls, and the interface requires that a movie list data be returned in JSON format. He developed the best language in the world with the following code:

--movie.php--

$rows = Array (

Array (' id ' = = 1, ' title ' = ' Reggae '),

Array (' id ' = = 4, ' title ' = ' Indie '),

Array (' id ' = = 5, ' title ' = ' Rap '),

Array (' id ' = = 6, ' title ' = ' cowbell ')

);

$json = Json_encode ($rows);

Echo $json;

?>

He was happy to submit the task, but it wasn't long before it really took the test of time. PM asks him to authenticate to the interface and doesn't want it to be a public interface.

1. What is certification

He is a Google StackOverflow powder, a few times after the wall, decided to do this way: let access to the movie interface before you get a token as a credential, and then use this token to access the interface. So he reduced the problem to two things:

A) Provide access to token generation

b) authentication of Access tokens prior to movie.php interface

Looking at the docking programmer in that leisurely waiting for him to finish providing the interface, the interface format is set aside first to him:

A) Generate Access_token

Http://192.168.1.102/token?appid=some_id&secret=some_secret

b) Add a parameter to the movie interface Access_token

Http://192.168.1.102/movie.php?access_token=some_token

And a few more nagging words:

* You keep the values of AppID and secret well, you can't expose them.

* Access_token has an expiration date.

2. Flexible Programmers

First, he takes into account that Access_token need to store, find, the more efficient the better, with mysql+memcached or Redis cache? This time with a bit different, fast and efficient, so he chose the way of Handlersocket. Handlersocket is a plugin for MySQL, simply to let the operation of MySQL through the storage layer. Https://github.com/DeNA/HandlerSocket-Plugin-for-MySQL

Second, he began unrealistic meditation: if there is a person to help me to the certification process, I concentrate on the API can, do not let my code see a trace of authentication shadow. Thinking is always a piece of paper, minutes he began to try the idea.

* Build Oauth_access_token Table First

CREATE TABLE Oauth_access_token (

ID Int (ten) is not NULL auto_increment,

Access_token varchar (255) DEFAULT NULL,

expires_in Int (ten) is not NULL,

Last_used_time Int (ten) is not NULL,

PRIMARY KEY (ID),

KEY Access_token (Access_token)

) Engine=innodb DEFAULT Charset=utf8;

* To add authentication function to the API, do not change the code oh, directly in the Nginx configuration specified

Upstream Hsock_rsrv {

Server 192.168.100.133:9998;

KeepAlive 1024;

}

Upstream Hsock_wsrv {

Server 192.168.100.133:9999;

KeepAlive 1024;

}

server {

Listen 80;

Location/{

Root Html/api;

Index index.php;

}

oauth_db some_db;

Oauth_table Oauth_access_token;

# Generate Access_token

Location/token {

Oauth_token hsock_wsrv; # Specify Handlersocket's write server, corresponding to the above upstream

Oauth_appid Some_appid;

Oauth_secret Some_secret;

Oauth_expires_in 2h;

}

Location/check {

Oauth_check hsock_rsrv; # for API authentication calls only, return 200 is normal. External does not access

}

Location ~ \.php$ {

Oauth_request/check; # Let the API have authentication function, corresponding to the above Location/check

# Here's your API configuration, PHP for example

root HTML;

Fastcgi_pass 127.0.0.1:9000;

Fastcgi_index index.php;

Fastcgi_param script_filename $document _root$fastcgi_script_name;

Include Fastcgi_params;

}

}

3. What's missing

Careful you may find that there are several designations are not supported by Nginx, are beginning with oauth_: Oauth_token, Oauth_appid, Oauth_secret, oauth_expires_in, Oauth_check, Oauth_request. OAuth itself is a protocol, there are many ways, from complex to simple, here the API authentication is just one of the simple ways, to oauth this name a little grandstanding, but straight view, so still use it as a module named. To do this, start installing the module:

> git clone [email protected]:hongzhidao/nginx-http-oauth-module.git

> cd/work/nginx-1.8.0 &&./configure--add-module=/work/nginx-http-oauth-module && make && Make install

SOURCE Download: http://nglua.com/download/nginx-http-oauth-module.tar.gz

4. The General thinking

Nginx has a strong ability to expand, if your program is built on HTTP, some of the public modules can be given to nginx processing, so that the program itself only focus on the business part. There are a lot of good nginx modules on GitHub. in Nginx, I have a lot of interesting ideas and code, looking forward to communication.

Nginx API authentication is easy to implement