 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
3 messages in ru.sysoev.nginxRe: client certificates| From | Sent On | Attachments |
|---|---|---|
| Aleksandar Lazic | Dec 27, 2006 5:24 pm | |
| Igor Sysoev | Dec 28, 2006 3:35 am | |
| Aleksandar Lazic | Dec 28, 2006 4:23 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: client certificates | Actions... |
|---|---|---|
| From: | Igor Sysoev (is-G...@public.gmane.org) | |
| Date: | Dec 28, 2006 3:35:39 am | |
| List: | ru.sysoev.nginx | |
On Thu, 28 Dec 2006, Aleksandar Lazic wrote:
I want to use some client certificates to act with my application user db.
What I think is like this:
--- perl_set $pass MyAuthCheck;
location / { if ($pass) { . fastcgi_pass ... . } return 403; }
--- MyAuthCheck(pseudo code):
--- . . if( select user from $DB where USER = mysql_quote($ssl_client_s_dn) || select user from $DB where USER = mysql_quote($ssl_client_i_dn)){ . . return OK; }else { . . return DECLINED; }
---
Is it possible to get the
http://wiki.codemongers.com/NginxHttpSslModule => variables at the bottom of the site into perl?
Yes, since 0.4.12 you can use
$my $ssl_client_s_dn = $r->variable("ssl_client_s_dn");
As far as I have understand the perl-module there is the same problem as in lighty with lua:
http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet#overview
--- Keep in mind that the magnet is executed in the core of lighty. EVERY long-running operation is blocking ALL connections in the server.
---
Is this assumption right?
Yes, you are right and this is documented in http://wiki.codemongers.com/NginxEmbeddedPerlModule
--- 2. If a Perl module performs protracted operation, (for example DNS lookups, database queries, etc), then the process that is running the Perl script is completely tied up for the duration of script. Therefore embedded Perl scripts should be extremely careful to limit themselves to short, predictable operations.
---
Since 0.5.3 the ngx_http_perl_module supports
$r->sleep(milliseconds, \&continuation_handler);
to delay a perl processing and return a control to the nginx:
package hello;
use nginx;
sub handler { my $r = shift;
$r->variable("var", "OK"); $r->sleep(1000, \&next);
return OK; }
sub next { my $r = shift;
$r->send_http_header; $r->print($r->variable("var"));
return OK; }
1;
__END__
I have plan to add such non-blocking continuation perl interfaces to DNS and MySQL. The some part of MySQL code was even written in May 2006 but now it is frozen.
However, the main problem with "perl_set $pass MyAuthCheck;" is that currently nginx variables does not support non-blocking interface. I have plan to add it too.
Igor Sysoev http://sysoev.ru/en/