这里先不考虑让 Nginx 从请求中获取数据动态改变计算结果,仅做简单的代码调整,让 Nginx 能够调用我们之前实现的函数。
#include#include #include #include #include #include #include #include #include #include char privateKey[] = "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" "MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQICTqoISmC8M0CAggA\n" ... ... "onL8DKhku9s/5NB+eEVC3v4JubSfph0GEiVemMIQxMI2\n" "-----END ENCRYPTED PRIVATE KEY-----\n"; char *passphrase = "soulteary.com"; int rsa_encrypt(unsigned char *data, int data_len, unsigned char *encrypted) { BIO *keybio; keybio = BIO_new_mem_buf(privateKey, -1); OpenSSL_add_all_algorithms(); RSA *rsa = PEM_read_bio_RSAPrivateKey(keybio, &rsa, NULL, passphrase); int encrypted_length = RSA_private_encrypt(data_len, data, encrypted, rsa, RSA_PKCS1_PADDING); BIO_free(keybio); RSA_free(rsa); return encrypted_length; } char *base64(const unsigned char *input, int length) { BIO *bmem, *b64; BUF_MEM *bptr; b64 = BIO_new(BIO_f_base64()); bmem = BIO_new(BIO_s_mem()); b64 = BIO_push(b64, bmem); BIO_write(b64, input, length); BIO_flush(b64); BIO_get_mem_ptr(b64, &bptr); char *buff = (char *)malloc(bptr->length); memcpy(buff, bptr->data, bptr->length - 1); buff[bptr->length - 1] = 0; BIO_free_all(b64); return buff; } static char *ngx_http_encrypt(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static ngx_int_t ngx_http_encrypt_handler(ngx_http_request_t *r); static ngx_command_t ngx_http_encrypt_commands[] = { {ngx_string("encrypt"), NGX_HTTP_LOC_CONF | NGX_CONF_NOARGS, ngx_http_encrypt, 0, 0, NULL}, ngx_null_command}; static ngx_str_t will_encrypt_string; static ngx_http_module_t ngx_http_encrypt_module_ctx = { NULL, /* preconfiguration */ NULL, /* postconfiguration */ NULL, /* create main configuration */ NULL, /* init main configuration */ NULL, /* create server configuration */ NULL, /* merge server configuration */ NULL, /* create location configuration */ NULL /* merge location configuration */ }; ngx_module_t ngx_http_encrypt_module = { NGX_MODULE_V1, &ngx_http_encrypt_module_ctx, /* module context */ ngx_http_encrypt_commands, /* module directives */ NGX_HTTP_MODULE, /* module type */ NULL, /* init master */ NULL, /* init module */ NULL, /* init process */ NULL, /* init thread */ NULL, /* exit thread */ NULL, /* exit process */ NULL, /* exit master */ NGX_MODULE_V1_PADDING}; static ngx_int_t ngx_http_encrypt_handler(ngx_http_request_t *r) { ngx_int_t rc; ngx_buf_t *b; ngx_chain_t out; /* we response to 'GET' and 'HEAD' requests only */ if (!(r->method & (NGX_HTTP_GET | NGX_HTTP_HEAD))) { return NGX_HTTP_NOT_ALLOWED; } /* discard request body, since we don't need it here */ rc = ngx_http_discard_request_body(r); if (rc != NGX_OK) { return rc; } /* set the 'Content-type' header */ r->headers_out.content_type_len = sizeof("text/html") - 1; r->headers_out.content_type.len = sizeof("text/html") - 1; r->headers_out.content_type.data = (u_char *)"text/html"; /* send the header only, if the request type is http 'HEAD' */ if (r->method == NGX_HTTP_HEAD) { r->headers_out.status = NGX_HTTP_OK; r->headers_out.content_length_n = will_encrypt_string.len; return ngx_http_send_header(r); } /* allocate a buffer for your response body */ b = ngx_pcalloc(r->pool, sizeof(ngx_buf_t)); if (b == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } char *preset_words = "hi"; will_encrypt_string.data = (u_char *)preset_words; will_encrypt_string.len = strlen(preset_words); unsigned char *test_data = (unsigned char *)will_encrypt_string.data; int data_len = will_encrypt_string.len; unsigned char rsa_encrypted[4096] = {}; int encrypted_length = rsa_encrypt(test_data, data_len, rsa_encrypted); char *base64_data = base64(rsa_encrypted, encrypted_length); will_encrypt_string.data = (u_char *)base64_data; will_encrypt_string.len = ngx_strlen(will_encrypt_string.data); /* attach this buffer to the buffer chain */ out.buf = b; out.next = NULL; /* adjust the pointers of the buffer */ b->pos = will_encrypt_string.data; b->last = will_encrypt_string.data + will_encrypt_string.len; b->memory = 1; /* this buffer is in memory */ b->last_buf = 1; /* this is the last buffer in the buffer chain */ /* set the status line */ r->headers_out.status = NGX_HTTP_OK; r->headers_out.content_length_n = will_encrypt_string.len; /* send the headers of your response */ rc = ngx_http_send_header(r); if (rc == NGX_ERROR || rc > NGX_OK || r->header_only) { return rc; } /* send the buffer chain of your response */ return ngx_http_output_filter(r, &out); } static char *ngx_http_encrypt(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_core_loc_conf_t *clcf; clcf = ngx_http_conf_get_module_loc_conf(cf, ngx_http_core_module); clcf->handler = ngx_http_encrypt_handler; return NGX_CONF_OK; }
将上面的内容保存为 ngx_http_encrypt_module.c,然后编写模块所需要的声明文件:
ngx_addon_name=ngx_http_encrypt_module if test -n "$ngx_module_link"; then ngx_module_type=HTTP ngx_module_name=$ngx_addon_name ngx_module_incs= ngx_module_deps= ngx_module_srcs="$ngx_addon_dir/ngx_http_encrypt_module.c" ngx_module_libs= . auto/module else HTTP_MODULES="$HTTP_MODULES ngx_http_encrypt_module" NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_encrypt_module.c" fi
在编译文件之前,我们先进行 Nginx 配置文件的编写:
load_module modules/ngx_http_encrypt_module.so; user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; keepalive_timeout 65; gzip on; server { listen 80; server_name localhost; location / { encrypt; } } }
我这里使用 Nginx 默认配置进行简单修改,在文件头部声明加载接下来编译生成的动态模块,在 location 配置中添加我自定义的 encrypt 指令,然后将上面的内容保存为 nginx.conf 等待后面使用。
接着,就能进行快速进行 Nginx 模块的编译开发了,还是先来编写一个用于编译插件的 Dockerfile:
FROM soulteary/prebuilt-nginx-modules:base-1.21.1-alpine AS Builder COPY src/config /usr/src/encrypt/ COPY src/ngx_http_encrypt_module.c /usr/src/encrypt/ WORKDIR /usr/src/nginx RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p') \ CONFARGS=${CONFARGS/-Os -fomit-frame-pointer -g/-Os} && \ echo $CONFARGS && \ ./configure --with-compat $CONFARGS --add-dynamic-module=../encrypt && \ make modules FROM nginx:1.21.1-alpine COPY nginx.conf /etc/nginx/nginx.conf COPY --from=Builder /usr/src/nginx/objs/ngx_http_encrypt_module.so /etc/nginx/modules/
还是执行 docker build -t test . 构建一个基础镜像,然后执行 docker run –rm -it -p 8080:80 test 来进行功能测试。浏览器或终端访问本地的 8080 端口,不出意外,能够看的我们预期中 RSA 加密后的内容被正确的 Base64 编码后展示了出来。
使用 wrk 之类的软件进行压力测试,会发现相比较使用 Lua 方案,使用纯 Nginx 模块的方案,CPU 负载从 20% 左右降低到了个位数,甚至持续稳定在 1% 以内,结果还是比较惊艳的。