We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Drive-by SSL certificate creation with nginx

00:00

Formal Metadata

Title
Drive-by SSL certificate creation with nginx
Title of Series
Part Number
3
Number of Parts
79
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
When working with webservers it's sometimes necessary to introduce some dynamic parts in the life cycle of an HTTP process. nginx provides this possibilities with an integration of Lua. On the example of dynamic SSL certificate creation we explore the capabilities of Lua within the core of nginx.
1
Thumbnail
09:05
11
23
Thumbnail
1:03:26
26
Thumbnail
1:01:01
30
Thumbnail
58:05
31
Thumbnail
53:11
43
60
Thumbnail
42:31
62
77
Thumbnail
10:59
FreewareOpen setSoftwareFront and back endsSoftware developerPublic key certificateProcess (computing)Social classBitInformation securitySoftware developerEndliche ModelltheorieWebsiteCellular automatonMereologyVector spaceBoss CorporationTwitterFront and back endsDivisorXMLUMLComputer animationLecture/Conference
Ideal (ethics)Metropolitan area networkPublic key certificateFreewarePoint cloudWeb 2.0Patch (Unix)Message passingStorage area networkScripting languageDomain nameReading (process)Online chatLecture/Conference
Ideal (ethics)Maxima and minimaMetropolitan area networkEvent horizonPublic key certificateMereologyPhysical systemVotingWeb 2.0Server (computing)Real numberSoftware developerLastteilungDependent and independent variablesElectric generatorCategory of beingLine (geometry)Different (Kate Ryan album)CASE <Informatik>Semiconductor memoryWebsiteLecture/Conference
Read-only memoryEvent horizonProxy serverCache (computing)Structural loadMetropolitan area networkMaxima and minimaArmProxy serverEvent horizonPhysical systemRevision controlMereologyDomain nameOpen sourceComputer animationLecture/Conference
Core dumpHost Identity ProtocolVideoconferencingLogarithmMetropolitan area networkEmailDirected graphMultiplicationGradientGoodness of fitCore dumpNatural languageBitModule (mathematics)LastteilungDuality (mathematics)3 (number)Process (computing)ThumbnailDifferent (Kate Ryan album)Computer animationLecture/Conference
EmailDigital filterIntegrated development environmentModul <Datentyp>Content (media)Different (Kate Ryan album)Basis <Mathematik>Module (mathematics)Physical systemRight angleEvent horizonSoftwareData managementComputer simulationGroup actionScripting languageFormal languageSpacetimeRewritingAuthenticationSocial classNumberComputer programmingCuboidType theoryFunctional (mathematics)Line (geometry)DatabaseProgrammschleifeSet (mathematics)Mathematical singularityVariety (linguistics)EmailProcess (computing)Client (computing)Object (grammar)Configuration spaceWater vaporSoftware frameworkReading (process)Constructor (object-oriented programming)Level (video gaming)Filter <Stochastik>MereologySampling (statistics)Web 2.0Extension (kinesiology)Programming languageWritingState of matterFile systemHash functionSpeicherbereinigungArithmetic meanWeb pageWeightTable (information)Game theoryHookingImplementationComputer fileEinbettung <Mathematik>Core dumpDynamical systemEvent-driven programmingPhase transitionComputer hardwareMathematicsLoginObject-oriented programmingProcedural programmingFront and back endsComputer animation
Modul <Datentyp>Metropolitan area networkDirect numerical simulationFormal languageRevision controlWeb 2.0Order (biology)Image resolutionProjective planeFirewall (computing)MereologyMultiplication signCore dumpGame theoryMachine codePoint cloudExecution unitLine (geometry)ImplementationCompilation albumFunctional (mathematics)Different (Kate Ryan album)Mathematical optimizationCodeCircleDevice driverServer (computing)Physical systemBit rateSoftware testingRule of inferenceChannel capacityWeb applicationVirtual machineCheat <Computerspiel>Module (mathematics)Operator (mathematics)Normal (geometry)Lecture/Conference
Drop (liquid)Set (mathematics)MereologyPhysical systemProcess (computing)Binary codeComputer architectureArithmetic meanProgram flowchartComputer animation
1 (number)INTEGRALPoisson-KlammerProcess (computing)Phase transitionNatural languageContent (media)Power (physics)System callDirection (geometry)EmailServer (computing)Normal (geometry)Computer animation
Metropolitan area networkCore dumpCodeExtension (kinesiology)ForceHookingModule (mathematics)Multiplication signVideo gameLecture/Conference
Server (computing)Cache (computing)Variable (mathematics)VarianceHexagonFile Transfer ProtocolFunction (mathematics)Drop (liquid)Linear regressionState of matterSoftware developerWeightVapor barrierCache (computing)MathematicsMereologyInformationPoint (geometry)Context awarenessServer (computing)Lattice (order)EmailNatural languageProxy serverVariable (mathematics)Formal languageVideo gameWeb 2.0Cycle (graph theory)Arithmetic meanCodeClient (computing)AlgorithmDifferent (Kate Ryan album)Filter <Stochastik>Parametrische ErregungPhase transitionCASE <Informatik>Process (computing)Sound effectMotion captureDegree (graph theory)Physical lawSocket-SchnittstelleConfiguration spaceDependent and independent variablesMultiplication signStructural loadFunction (mathematics)LastteilungMessage passingVarianceLatent heatParameter (computer programming)HTTP cookie
Metropolitan area networkMotion captureCausalityProxy serverFunction (mathematics)Client (computing)Dependent and independent variablesNewsletterExtension (kinesiology)Pay televisionDifferential (mechanical device)MultiplicationInformationBarrelled spaceDifferent (Kate Ryan album)Casting (performing arts)LoginServer (computing)DebuggerCentralizer and normalizerError messageForm (programming)Lecture/Conference
Modul <Datentyp>Network socketImplementationDirect numerical simulationRead-only memoryDirect numerical simulationQueue (abstract data type)Process (computing)Motion captureCore dumpArithmetic meanSpacetimeLibrary (computing)ImplementationRegulärer Ausdruck <Textverarbeitung>Slide ruleNetwork socketINTEGRALNormal (geometry)Client (computing)AlgorithmConnected spaceModule (mathematics)Communications protocolSemiconductor memoryCache (computing)Computer programmingImage registrationSocial classRight angleNatural languageSocket-SchnittstelleSystem callState of matterMetropolitan area networkMereologyWritingPhase transitionForm (programming)Computer animation
HexagonPower (physics)Module (mathematics)INTEGRALCombinational logicLipschitz-StetigkeitSpacetimeIntegrated development environmentArithmetic meanComputer animation
Different (Kate Ryan album)Moment (mathematics)Module (mathematics)Physical systemEndliche ModelltheorieCASE <Informatik>Integrated development environmentMedical imagingTouch typingBuildingLecture/Conference
Server (computing)Modul <Datentyp>Data managementBitBus (computing)Module (mathematics)Software testingOpen sourceWeb pageEncryptionLatent heatGodMixed realityStudent's t-testProjective planeType theoryData managementNatural languageIntegrated development environmentCartesian coordinate systemBitArithmetic meanCore dumpAuthenticationLocal ringLoginCentralizer and normalizerComputer animation
Value-added networkPhysical systemAssociative propertyInformationForceAuthenticationConfiguration spaceNatural languageIntegrated development environmentKinematicsArithmetic meanField (computer science)Group actionBitData managementLastteilungPlug-in (computing)Lecture/Conference
IcosahedronAssociative propertyMetropolitan area networkBasis <Mathematik>Pairwise comparisonService (economics)Different (Kate Ryan album)Mechanism designConnected spaceArithmetic meanPatch (Unix)Computer animation
Patch (Unix)Asynchronous Transfer ModeInternet service providerCore dumpModule (mathematics)Compilation albumPublic key certificateBranch (computer science)Computer fileProcess (computing)Projective planeSocial classNeuroinformatikArithmetic progressionMoment (mathematics)Open setPatch (Unix)BuildingNatural languageElectric generatorLecture/ConferenceComputer animation
Patch (Unix)Metropolitan area networkInternet service providerDemo (music)Public key certificateFreewareArithmetic meanCore dumpSoftware testingTouchscreenDemo (music)Patch (Unix)Electronic mailing listBranch (computer science)Set (mathematics)MereologyCausalityDomain nameNatural languageMoment (mathematics)Sign (mathematics)Lecture/Conference
Metropolitan area networkMaxima and minimaStorage area networkTotal S.A.Discrete element methodMusical ensembleClient (computing)Read-only memoryPhysical systemGraph (mathematics)CloningSet (mathematics)LoginService (economics)Cache (computing)CodeServer (computing)InformationIcosahedronKey (cryptography)Data typeInsertion lossInclusion mapCuboidFormal languagePublic key certificateTime zoneBitMultilaterationInformationArithmetic meanValidity (statistics)Connected spaceAuthorizationMathematicsSoftware testingSensitivity analysisComputer fileClient (computing)Different (Kate Ryan album)Server (computing)CodeVideo gameSource codeJSON
Server (computing)Metropolitan area networkSet (mathematics)Data typeInsertion lossUser profileIcosahedronExt functorClient (computing)Interrupt <Informatik>InformationDiscrete element methodTemporal logicArmDemo (music)NetzwerkverwaltungLine (geometry)SequenceLimit (category theory)InternetworkingProcess (computing)Public key certificateWeb browserAuditory maskingDirect numerical simulationSoftwareComputer animationSource code
Metropolitan area networkMenu (computing)Discrete element methodOpen setServer (computing)Reverse engineeringPoint (geometry)Key (cryptography)Public key certificateElectric generatorValidity (statistics)Structural loadPublic-key cryptographySet (mathematics)Extension (kinesiology)Serial portBitComputer fileServer (computing)Arithmetic meanMultiplication signCodeSign (mathematics)AuthorizationLimit (category theory)Object (grammar)Dependent and independent variablesClient (computing)NumberModule (mathematics)Patch (Unix)Open setState of matterComputer animationLecture/Conference
Metropolitan area networkGamma functionMaxima and minimaPredictabilityJava appletValue-added networkArmMultiplication signOracleDuality (mathematics)String (computer science)Configuration spaceSet (mathematics)Moment (mathematics)Arithmetic meanPublic key certificateDependent and independent variablesFreewareCartesian coordinate systemPhysical systemRight angleMathematicsBuilding2 (number)CASE <Informatik>WeightPublic-key cryptographyWeb 2.0Projective planeAutomationLatent heatServer (computing)File formatProcess (computing)Lecture/Conference
Physical systemNP-hardService (economics)OvalEscape characterOpen setCodeProjective planeRevision controlDevice driverInformation securityDynamical systemWeb 2.0Physical systemActive contour modelServer (computing)Escape characterSoftware testingConfiguration spaceScripting languagePhase transitionComputer fileRewritingService (economics)Reading (process)AdditionMathematicsArithmetic meanDisk read-and-write headPresentation of a groupInsertion lossMathematical analysisSpacetimeSearch engine (computing)Process (computing)Natural languageComputer animation
Metropolitan area networkRadio-frequency identificationDuality (mathematics)Lie groupSample (statistics)NP-hardCodeInformationIntegrated development environmentInformationMultiplication signProjective planeEmailWeb 2.0Disk read-and-write headFunction (mathematics)Software testingParametrische ErregungDynamical systemServer (computing)CodeParameter (computer programming)Lecture/ConferenceComputer animation
DemonWeb browserRepresentational state transferProjective planePublic-key cryptographyPublic key certificateQuicksortSign (mathematics)Condition numberCASE <Informatik>Software testingWeb 2.0WebsiteDisk read-and-write headMoment (mathematics)Multiplication signCodeFront and back endsArithmetic meanLecture/Conference
RobotSoftwareFreewareOpen setUniqueness quantificationPoint cloudOpen setComputer animation
Transcript: English(auto-generated)
I welcome you to my talk, drive by SSL certificate creation with NGINX.
During this talk, you will see what I mean by this, what I have in mind about an idea, what NGINX is capable of. First of all, about me, I'm Dominic. I'm working for a hosting company back in Switzerland. And we are compared to German market, quite small,
but we are in the top five of Switzerland, or top four. Everything is factor 10, smaller in Switzerland. I'm mostly the developer there, doing a lot of backend security of stuff. That's why I seldom have to pick something on the website.
That's part of my team's deal, but not mine. You find me on Twitter on DOL, or Dr. Dol. It's also my nickname. If you have questions, please ask right away,
and don't hesitate to wait at the end of the talk. I came across a capability of NGINX when Cloudflare in 2014 announced that they give away
free SSL certificates for all. And they explain what they are doing. And I followed along the NGINX community, because we used within the web hosting company that I work for. We used NGINX and the capabilities, the scriptable capabilities.
And I thought that would be nice having such a feature. And recently, there was a patch contributed by Cloudflare. And this talk is about this patch and the possibility. What this example shows, it's like this year is 2015.
And if ProseCon has a SSL certificate, that's only for this specific domain, has no SAN or Wi-Fi certificate. They have reissue certificate every year. The same goes for if you're a pass provider. Good example is Slack.
Maybe some of you know Slack as a chat program. Each company has its own subdomain. And I guess what they provide is a Wi-card certificate. What would be really nice is having a certificate on the fly generation per subdomain.
That's the whole idea behind. And I will introduce you the steps to build such a system. If it's reasonable, I don't know. It's more a technical challenge than it's more a it's not a real use case, but it could be.
In the example of Cloudflare, it's a good example. About Nginx, written and spelled, it's pronounced and spelled, it's a different thing. Nginx itself, if you're familiar, little vote who is more on the developer side
and who is more on the developer side. Who's responsible for server stuff and deploying. It's like the majority. Then I skip this quickly. I guess you know the second most used web server.
His properties are his high performance, low memory, footprint. He's a web server. He's also a proxy, a load balancer. You can do caching. Since the new version, version 1.9, you can also do TCP proxy.
That's a new feature that they introduced. They came along with HAProxy. The whole system is event driven and has an asynchronous design.
It started in 2002, went public in 2004, and now in 2014 Nginx.com, the company was built to have a professional support. The open source domain is Nginx.org.
The commercial one is Nginx.com. Think of Nginx, it's like Batman. He can do a lot of things and he's great and he's established. He has all the good benefits and features, but what makes Batman really, really a superhero
is that he has a lot of accessories that he can use. The same applies to Nginx. Nginx has quite a small core. Nginx is in the core capable of doing HTTP stuff, SSL stuff,
but not much with a little bit of logging, a little bit of load balancing. But in the ecosystem around Nginx are the accessories. People build in modules written in C to extend the capabilities or the belt of Nginx.
A few example, I took out, it's really Wild Wild West. If you're looking at the third party modules, you see abundant stuff. You see stuff like a video thumbnail extractor or a upload process. That's actually quite often used or a simple GIF that's generating GIFs on demand
and resizing them. Drizzle is also a thing that often used. It's a possibility to talk to MySQL within the Nginx scope and talk to Redis as well.
Here's a little example. That's actually two different third party modules. This one is the Echo module. You can write Echo. That's not in the core and it returns the value. And the other one, it's a Redis extension
because the first one was shitty. They built another one. With this example, you can set different values directly to Redis or read
and then do some dynamic global landing or configuration stuff. Another thing is Nginx because it's event driven. It has different phases of different stage during the start of a HTTP request
and then handling and finish it off. There are some steps in between. I left them out because they are mostly pre and post stuff, configuration read and write. The important one are the rewrite phase. In this phase, you could apply different rewrites,
how Nginx is behaving. Access phase, it's normal what you know about HTTP authentication. Try files is looking at the file system content.
It's delivering content out of different file system database, different backend. Log is after the process is done, it's get logged. And then you can apply filters if the request is like at the stage where you can push back to the client, you can do filtering of the header and the body.
An example you can see here, it's like the echo example. It's in the content phase. And the set is actually in the rewrite phase. And if you write a C extension, you have to decide
in which event you hook into the Nginx core and what are the changes you're applying. And because there are different modules, you can sometimes mess up stuff from other people. Then, Batman would be nothing without Robin.
Robin, in my talk, is Lua. Lua actually is a programming language. Lua is fast by design, not by design, because it has a very, very lightweight design.
It has, a good example is learn Lua in 15 minutes. That's a webpage. You can, if you're familiar with programming, within 15 minutes, I can assure you, you are capable. The syntax is so easy.
Embedable, embedable is one of the features that Lua is famous for. Means, for example, Far Cry and a lot of game engine have the possibility to write modifications in Lua. They expose different modification possibilities.
You see embedability also in the automotive industry where you have simulations and then you can hook in. Lua's used in network switches as well
to do packet filtering and on the fly, giving the scriptable language possibility to hardware boxes. That's actually from the 15 minutes. It's not the whole part, but you see the syntax is quite easy. You have no types.
Numbers are always doubles. And you have double and single quotes. You have multi-line. You have nil. If you nil something, it goes to garbage collector. And you have loops and if-else and there are some other constructs. You have what you know from different
programming language hashes or arrays. They have tables. They have no class support like object orientated. You can do, people do stuff, but no rich functionality. It's mostly procedural programming.
In the UNT, Lua as well has a lot of accessories. Lua comes with a rich variety of different modules. They can be written in Lua or in C itself.
What I mean by this, it's a good example for this is MVC. It's a web framework that's entirely written in Lua that you can use. Lua file system, it has some C extension
to hook into the file system itself. C JSON as well. It's like a C JSON implementation exposed to Lua. What you also have in the Lua space is Lua Rocks.
Lua Rocks is, if you're familiar with EasyInstall, PIP, NPM, all these different package manager in every language, it's quite limited compared to other tools that I saw. But most of the time it works. It works because people are not depending much
on each other's modules. Like the thing that you can see in the JavaScript community, two lines of code is a known module and everybody inherits these two lines and then you need circle dependency resolutions and conflict resolutions.
Lua has only a little part of this. Lua Rocks is capable of compiling C base code. That's quite a nice thing. If someone ships C embedded Lua functionality
with Lua Rocks, if you have the right dependencies on your OS operating system, then you could install this module. And as always, there's an awesome language GitHub account where they have a lot of summaries about different tools and stuff about this ecosystem.
Then there is Lua Cheat. Because Lua Cheat was started as a project, because the core or the language itself is so small, a guy, can't remember his name,
started the Lua Cheat project, and now you have the possibility to either use Lua or Lua Cheat. As the name Cheat for testing time compilers is saying, it's like if you run this code in a continuous way,
it optimizes on the fly a lot of code. This is very useful, for example, in a web server where you'd like to apply web application firewalls. These rules have to be run over and over and over again,
and they get hot and they're optimized and compiled to machine code, and then they run, they say, 10 to 100 times faster than the normal Lua implementation itself. One of the main drivers behind it is Cloudflare as well, because now they ship, I don't know,
around 10% of the traffic worldwide, and if they could optimize Lua Cheat by, I don't know, five or 10%, they gain a lot of capacity. Think of Lua Cheat, it's like Robin on steroids.
The also nice part about Lua Cheat, it compiles on nearly all systems and all process architectures, and it's binary compatible,
means that you can switch from Lua to Lua Cheat, and it has the same syntax and it works, but it works also on a PS3 or PS4, which is quite nice.
One thing to remember or to take away, they are Robin and, or Nginx and Lua, Robin and Batman are two heroes, enhanced with the community, with tools behind it, that's the foundation for Safer Street,
but that's not enough. You have Nginx and you have Lua, now we go to the part where these two are combined, and now we are at Nginx Lua or HTTP Lua module,
or the other name you can also find is Lua Nginx module, that's actually the Lua package name, that's the name on the documentation, and that's the GitHub name, it's kind of confusing if you're searching for the thing, it's all the same, yeah.
What it means, it's like embedding the power of Lua into Nginx, here is a small example, you'd like to get the content, content by Lua means within these brackets you write normal Lua code, and it gets integrated and it's printing out hello world,
that's basically the thing that's the integration, you have a lot of these, you have init by Lua, init worker, init is run once when the server starts,
when the new master comes up, init worker is when the master process forks a new worker process, you have set by Lua, in the previous example you've seen set as a directive of Nginx, now you can dynamically set things
in the scope of Nginx, rewrite access, content, log, header filter, and body filter, these are the phases where you can hook into Nginx and modify it by yourself, and it gained some attraction because you saw
this wild wild west of C modules, and people started migrating their code into Lua because the burden of maintaining C extension in an ever-changing Nginx core was too difficult
or too time consuming compared to Lua that always stays the same or more or less stays the same and that's the reason why you see nowadays a lot of modules and stuff moving to the Lua world, and old stuff ripped out or is dying off.
Another thing that is possible is Lua by, asterisk by Lua file, that means the difference here is you write this directly in your Nginx configuration
and here you can specify a specific Lua file, I always would recommend this way because you can see the burden that you have with double and single quotes within the Nginx configuration,
there's a fix on the way but need some time. And there's also another benefit, you can see it's Lua code, the Lua code normally if it's embedded by Lua file,
then it's compiled, meaning the Lua cheat compiles it into an optimized way, and then it's always interpreted from this optimized way. During development this is your, every single character that you change in the Lua file, you have to reload Nginx to get the updates
into your Nginx, that's one of the tricks that you can do, it's that you during development disable the cache and then you can edit right away and you always see the new updates
if a new request hits this Lua specific, sorry. Another thing it's, these are the parts where the Lua, Nginx Lua API comes in,
means within the scope of Lua you have to talk somehow to the web server, meaning that you need some API to talk to the outside world of Nginx. The first thing is Nginx Arc, it's something like you have on the console,
on the best script or in every other language, it's like parameters passed in, there's some situation where this happening, for example set by Lua, you can pass in parameters or in the filters, but that's rarely the case that you work with,
most of the time you work with Nginx vars, a good example is outside vars always has to be declared outside of the Lua scope, meaning that during the lifecycle of a request you could change the values.
This is very handy if you have, for example at this point, going to a proxy or to a proxy upstream and define the variable of the proxy and in the Lua code you could do health checks
or you could do a load balancing or intelligently load balancing algorithm and so on and so forth. If you set the variable in the right phase, then Nginx is performing proxy stuff
with this modified variable. Another thing is Nginx header, it's used to read and modify headers depending on the stage, if you're past the lock phase,
you're not able to modify them anymore. Nginx status is the HTTP status that's sent back to the client and Nginx context is also a handy thing if you have to pass information between phases,
meaning you have a rewrite phase that writes some information, extracted some information and you need this on a content phase, you can do context. It means if you're familiar with Android, it's like on an Android system, if you switch the view, you have to assign all the information on a context
and then switch the view, otherwise this information are lost. And that's quite handy if you're passing states or informations along with different phases. Is that clear?
Other things in the Lua API, Nginx Lua API, are the output stuff we saw like Nginx say send headers and so on and so forth. You could do redirect, exit, sub request,
I come to this later, and cosockets is some example about this too. Nginx capture, it's a nice thing. What you could do, you could do advanced cookie checking
or spam checking. In this example, what we are doing, it's like we're capturing during a process, we do a sub request within Nginx and waiting for the response
and then we interpret, this is like a HTTP request within a HTTP request. And you can do multiple captures. There's a capability of doing parallel capturing and aggregating the information and sending them back.
A useful example for this would be if you have a central login server, you could always use Nginx as a proxy and he's checking against this login server, are these credentials sent by these clients are valid in this, for this reason I let him pass,
otherwise I deny the access. An example that I used to implement was like MailChimp newsletter. I wanted to have a custom newsletter subscription form
and normally what I've done, it's like posting on my own website, capturing the stuff with Nginx, Nginx sends it to MailChimp server with the API credentials attached.
They are actually within Nginx and then I modify the response that I can differentiate between different errors on the front end side. These are the possibility that you could do with capture that.
Another thing, it's a co-socket IP. A thing about Nginx within these phases, everything has to be non-blocking. And in the Lua sphere, normally you have these Lua modules
and then for example, a simple HTTP or Redis implementation and they use a blocking socket underneath. Meaning if you use this library within Nginx, it's not gonna work because if a request comes in
and you're blocking while waiting for Redis to give you an answer, every other request has to wait until Redis gives you an answer. And for that reason, Nginx request soccer was introduced, meaning giving the user the possibility
to do non-blocking socket connection, TCP connection. There are UDP connection as well, but not much space on the slide. But what you have to do is implement a protocol on top of the socket, meaning like, yeah.
A nice feature about this is you can use keepalive, meaning that if you're not closing the connection, if a new request comes in, it reuses the keepalive connection. That's a handy thing to get more performance out of it.
A good example are the Redis memcache, MySQL, Postgres integration. DNS is actually a UDP implementation. What they look like, it's like you include the Lua Redis clients that's crafted for Nginx
or work within Nginx, and then you do your normal manipulation, reading, writing. Then there are lots of more stuff that you could do with Nginx and Lua.
For example, your flight threats, you can run some work offload. I've seen people doing a job queue within Nginx. That's a funny thing because you have init by worker, you could do things with this part, and it's a strange thing in light threats.
It actually works, but it's somehow scary. Shared memory access, meaning that because you have one master process and you have a lot of four worker processes,
you could share a caching layer over all these worker processes, meaning that there are some basic caching algorithms within there to help with the cache. Also, Regex is directly in the core
for modifications and stuff. That's basically it, and there's some tiny little things that I never counted, and they are there. But it's not cluttered, it's quite small, but you have, with this capture and co-socket thing,
you could do a lot. Meaning that if you combine these two, you get a Batmobile, it's kind of cool. It's like you have Nginx, and then you have Lua, you could do a lot of programming. But the problem is, you have to build it,
it's an old module, you have some people wrote on GitHub Redis integration, some people wrote the MySQL integration, and that's where OpenResty kicks in. OpenResty, it's actually a combination of Nginx, Lua JIT.
They use Lua JIT, they could also use Lua as well. Nginx, Lua, meaning the integration. RESTy, Lua, modules, and CLIPs, meaning aggregating a lot of stuff from the community
and packing it in the right space that you have a rich environment that you can start with, and a normal Makefile. That's very handy, you download OpenResty, make, make install. What it's doing in the background, it's more or less, first of all,
it downloads Lua JIT, compiles it, and Bets it in Nginx, compiles it with Nginx, and as a Nginx with all the different C modules, Nginx C modules, and Lua modules,
and then place it on the correct system. I think that's not happening at the moment. At the moment, no distro packages. What I normally do, I build distro packages myself. They're not that complicated, and I'm in touch with the creator
of the OpenResty project, but he's so busy at Cloudflare. I guess I have to contribute stuff. There's also Docker image existing, and yeah. But if, about RESTy modules,
the RESTy modules, as you saw, you have modules coming from Nginx, extending the Nginx core. You have modules coming from Lua, extending the Lua modules with Lua or Lua C, and the RESTy modules, it's always a mix between,
I don't know, it's also a little bit Wild Wild West. OpenResty project tried to only include modules that are well-maintained, that work, that are tested. Actually, the testing of OpenResty is quite impressive.
If you ever go on the OpenResty webpage, go to qa.openresty.org. They have heavy testing. Yeah, and that's the reason I never had any issues with OpenResty in our infrastructure. Another thing is, if you have to install things
that are not bundled with OpenResty, please use Lua Rocks and install it on one specific path, and within Nginx, you then can include this specific path of rocks into your current environment,
and then use the installed, yeah. It's not very easy, you have to get used to it, but once you use it, you, yeah, you get it going. If you need a BMW, take Kong.
Kong is actually an open source project from Mashable, it's a kind of a, how to, they do a lot of API, local and seeing, authentication and stuff, and what they build, they call it microservice and API management layer.
What they actually took, it's, because OpenResty has the things that you can build your application on top of it, what they actually done, it's going a step further, and for example, what they included is a central login layer,
or JWT decryption layer, and so on and so forth, central logging server, and meaning that in an ever-changing environment, you have an API where you can manage
your NGINX configuration, that's kind of a neat thing, you can add SSL host, you can add host, you can add authentication information, you can local and shutting thing down. What they use is a Cassandra cluster on each node, and the information are shared in this, yeah.
Best, if you need something, and they have a pluggable system, meaning that like in, like every one or two months, they bring out a new plugin that you can enable or disable, little bit of configuration, and then you have a new API endpoint where you can manage X, Y, Z.
That's kind of a cool and neat thing, and gain some attraction in the microservice Docker community, because that's a big deal to dynamically load balance thing without changing NGINX configuration.
One thing to take away is use ready-built tested solutions, looking at OpenResty, if you'd like to be more on the basics, or Kong, if you'd like more or less production-ready stuff.
Yeah, take the fast lane compared in association with Batman and dropping, take the fast lane of crime prevention. And now to the thing of my talk, what I was thinking, or I often,
I'm active in the OpenResty community, we use it within our company for different services, and recently there was a patch about SSL by Lua,
meaning that you could secure your SSL connection controlled by Lua, and Batman and Robin, they have the same problem, recently they were tapped, and now they have to introduce new mechanism to make them safe again on their phone.
This is actually a patch, it's not right now in OpenResty, it will be, as I mentioned, the creator of OpenResty is quite busy at Cloudflare. What they newly introduced is SSL certificate by Lua,
and SSL certificate by the Lua file. What it's actually doing is, it's a step before the process even happens, that you could do SSL generation, SSL delivery,
OSTP checking, stamping. There's a heavy discussion on issue 331 on the OpenResty project. At the moment, there's a branch, you can compile it.
What I've done, I took the branch, and I took the OpenResty project that's doing all the compilation and stuff, and swapped out the OpenResty, sorry, because OpenResty is downloading Lua engine X module, I swapped out this download
with the download of this branch. What I had to do, it's like, at the moment, you have to patch the engine core as well, because OpenResty downloads the engine X core, downloads also the Lua engine X module, and what I had to apply, it's like,
changing the branch in the download, and patching the engine X core before it's built. That's the thing that I had to do. It's not that tricky. The thing is powered by Cloudflare, meaning that they run this since, I don't know, 2013 or 14, I don't know,
meaning that it's definitely battle testing. That's the thing that's driving their SSL free for their customer. What they're actually doing is, they partnered with a CA, I'm not sure if it's GlobalSign,
and what they are doing, it's like combining a lot of domains, generating sound certificates, and what they have to do internally, if a domain, or they only support SNI, if a SNI request comes in, they look up in which certificate belongs to this list of sounds,
and they have to fetch their certificate from the backend, and because they have around 30 to 40 data centers, they have to do this on a distributed way. They do it on the fly, otherwise they have to send
a lot of SSL certificates across the globe, meaning if I hit now here, Cloudflare instance, that's not having my SSL certificate, it gets fetched on the fly, and it's kind of a neat, neat thing. And I was inspired by this,
and I can show you a demo about what I've done. Wait a second, switch to the other screen. What my setup is the following.
I have a vagrant box running. Sorry. I have a vagrant box running with Nginx and my Lua code. What I could do, it's, if I request in,
if I, ah, wait a sec, the obvious, sorry.
Now, what I'm actually doing, is the following, the scroll is working. I open an SSL client connection to local host,
giving a server name, meaning a SNI connection, test.driveby.tld, giving a CA file, meaning that certificate authority file for validation, meaning that checking the certificate that I get back, if it's, if it's,
if this CA signed this certificate, and what we see here, it's verified, verification chain, and what I add, dynamically generated by Lua at Saturday, 8.40,
because of time zones on my machine, and in the vagrant box, that's actually the two hours difference. If I hit it again, meaning I could get the same, but a little bit later, now it's 44,
and the CN, the common name, if I change it, and I take the short, then the information are here. If I pass in another subdomain, subdomain life 2015,
for example, then I get a new SN name, meaning the certificate is valid, but the Nginx score generated on the fly, SSL certificate, and is returning.
The same, I can show you with a fresh Firefox, problem if you work with Firefox, and install a lot of demo on drive here.
Nope, it's working, now it's okay.
The thing is that I, ah, that's stupid.
If I connect it to the internet, then the thing is I have a DNS mask entry within the DNS mask setup within the network manager, and if I'm not connected to the internet, then the DNS mask within network manager.
It's not responding, that's kind of a bummer. Yeah, but what I wanted to show, it's like what you could do on the fresh installation of Firefox, you could add the certificate authority, adding a new certificate, and then I can go to every subdomain, and I get a valid browser certificate or no warning.
Is that example clear what I wanted to show? Yeah, yeah, nevermind.
The actual code, sorry about that.
Not starting at the point where I left off. The code in Lua, or in Nginx, it looks like this. You, first of all, I include the module rest eSSL.
That's an extension coming from this SSL patch. Then I need OpenSSL for the whole certificate generation, key generation. And P key means like this public key cryptography. Then I require CSR, certificate sign request.
Afterwards, I load in the CA, meaning the certificate authority, certificate, load the thing from the file into an object that's actually the certificate.
Then I could do manipulation on the thing. The same happens to the key of the authority because with the key of the authority, I have to sign the newly generated key certificate.
What I then do, if it's not a SSL server name, meaning if it's not a SNI, if someone connects not with an SNI name, we drop out because of this limitation. Then I start with a new certificate request,
meaning the subject. That means the region generated by it, and you see here, that's actually the date. It's always included. And from the SNI name, the SNI name will be the so-called common name.
And what I then do is generate the new public and private key pair for the new certificate. Afterwards, I assign the key to the certificate and generate a certificate request.
The certificate request then, from the certificate request, a new certificate is issued. Actually, I had to change this because Firefox is blocking.
This is the serial number, meaning that the certificate authority have to increase the number of the serial for each certificate they issue. Firefox is actually checking this. I had to do this morning a little bit of hacking to overcome this issue.
Now it works. The code on the server is not the same. Little bit modified, but it's more or less in the same thing. Then I set the time, the validation time.
And what I then do, it's like taking this, the naming is wrong, meaning that the client certificate or the certificate is signed with the key and the certificate of the authority.
And here, that's actually where the magic happens. I guess in Cloudflare, it looks like this. The thing on the top is the generation and signing is somewhere offloaded. Meaning that the only thing that they do on the fly
is capturing the response and certificate on the fly and setting it and caching it on the local server. What we then do, it's clear the certificate that we had in the Nginx configuration, set the certificate in the format of the DER,
meaning a binary string. Converting the binary string to the certificate into a binary and the same goes to the private key of the public, sorry.
The same goes for the private key of the new generated certificate. That's all the thing that you need to do. At the moment, it's a little bit of tricky to get everything right, but I think in the future, you see a lot of application. My first idea was, at the moment,
if you heard about Let's Encrypt, it's an initiative from Mozilla, Akamai, Cisco. They try, they build an automated system to get you free SSL certificate. And my initial idea was going to an upstream server
to the Mozilla server, generating a valid public certificate reissuing on the fly, meaning that every time someone hits the server, I get an instantly valid certificate. I never have to think about reissuing or stuff,
everything I can write down in Lua. If someone hits the first time, he has to wait, I don't know, two seconds off or something, or I don't know, a minute, then the request responds, but the request afterwards, it's okay. Or I can do a cron job that is doing that every night.
That was the basic idea. At the moment, we are implementing this for our web hosting customers and during this work we saw that the API and the specification is changing too radically, that I could adopt these changes all the time
before the talk. I had to, I started with the adoption and I ran into the problem that, but actually the OpenSSL project had a lot of issues. First of all, I had to fix a lot of C code issues within this project before I could go on. And that's why we have only simplified version of that.
Needless to say, securing in an ever-changing system is hard, but it's also possible that you can introduce security layers
or dynamic stuff on the web server. Yeah, at least you can try, but don't produce snake oil. One of the pitfalls that I learned during my years and also preparing for this presentation, if you do a lot of nginx configuration modification,
please always run service nginx config test. I had sometimes the issue that I thought I had changed something, made a reload, but actually if you do a reload and you have config issues, nginx is doing nothing
and says nothing about it. And that's the reason why I always do service nginx config test and then a reload. The same happens if you do a lot of config changes. I have a when change is a little small Python script. If the file changes, I SSH into the server
and do a config test and reload the server. I also fell into this trap, like the escape characters in Lua. It's a pro sent or yeah, not very intuitive
but better than Ruby. And as I mentioned, always use Lua by file. It's easier to handle with and no escaping, huh? If you'd like to read post wars in a access phase,
meaning like one of the rewrite or access phase, then you have to do an additional request head body, meaning that in the phase of rewrite and access, nginx has not yet loaded the body or the post information.
Tips and tricks debugging in a nginx environment, especially in a dynamic nginx environment with Lua, it's not easy or actually hard. I was burned many times, like little pieces that, yeah. And one of the things that I often do
is like adding debug information to the header information, meaning like aggregating information. You could log all the information but the thing is on the log, sometimes on a busy server it happens so much thing. What you could do, I have special tags
and if I specify this hidden tag, it gets me like debug output on a live server. So now this kind of cool neat trick. What you actually also could do, it's like generating a tracer, tracing ID and then piping or giving this tracer ID
as a header parameter to the web server and then going through your logs, that's also a possibility. But I found the nginx header dump the easier. And if you're looking for code or useful example,
actually the OpenRTC project has very good tests and for this SSL talk, I had to look many times in the code because at the moment it's not yet documented and there are some conditions where the documentation will lack, yeah.
And I'm at the end of my talk, thank you for listening. Are there any questions, regards or concern about the stupidity about this project? Yeah?
What I do now, it's kind of a silly example, I generate for each request a new certificate. It's kind of stupid. It's not, but what you normally could do
is offloading money. As I mentioned, people doing worker demons within nginx, you could do the same. It's like if the first request hits the server, you could offload this to worker, then it's in its own worker and it's not blocking the other requests, yeah.
But you could do or, okay.
No, they run under the nginx user, meaning that I had to give well permission or at least for the CEA, for the CEA certificate, I had to give permission to the nginx user, yeah. But normally you do this in a secure backend
and then you get, yeah, yeah, yeah.
For the reason I need the private key to sign otherwise.
No, no, no, my use, yes, this use case, yes, but the use case of Let's Encrypt, for example, I go into a HTTP backend and they give me an SSL certificate. I could also program that I log in to the complicated website and do web scraping of.
global sign or something else that's not limited to this because with Lua you have the capabilities. For this purpose, because I'm not a CA, I have to trick with the browser to accept me as a CA. The initial idea was going to an official CA where they have a REST API where I can
issue. So far, thanks to H&CH, that's the guy behind all the REST stuff and Cloudflare for the
contribution and hopefully we'll see some of you in the OpenRST Nginx Lua community playing around. Thank you so much.