Nginx
Integrating Aperture with Nginx using Lua modules.
Introduction
Lua's modules are scripts that can be executed within Nginx to extend its functionality. The Aperture Lua module can be downloaded from the GitHub Aperture Release Page.
Pre-requisites
Before proceeding, ensure that you have the following installed:
Skip these steps if the Nginx server is running on a Container.
- Nginx server
lua-nginx-module
enabled for Nginx. If not, follow the installation steps.LuaRocks
, which is a package manager for Lua modules. Follow the installation steps.
Installation
To install the Aperture Lua module, follow these steps:
Refer to Example Dockerfile to get the steps for installing the Aperture Lua module for Nginx server running on Container.
Install the
opentelemetry-lua
SDK by running the following commands:git clone https://github.com/fluxninja/opentelemetry-lua.git
cd opentelemetry-lua
luarocks makeDownload and extract the Aperture Lua module by executing the following commands:
wget "https://github.com/fluxninja/aperture/releases/download/v2.6.0/aperture-lua.tar.gz" && tar -xzvf aperture-lua.tar.gz
Install the module by running the following command:
cd aperture-lua && luarocks make aperture-nginx-plugin-0.1.0-1.rockspec
Example Dockerfile
Use the following Dockerfile to install the Aperture Lua module with Nginx. This
example uses
fabiocicerchia/nginx-lua
as the base image because it already has the
lua-nginx-module
pre-configured with Nginx.
FROM fabiocicerchia/nginx-lua:1.23.3-debian-compat
RUN apt update && apt-get install -y build-essential git
RUN git clone https://github.com/fluxninja/opentelemetry-lua.git && cd opentelemetry-lua && luarocks make
RUN curl --fail --location --remote-name "https://github.com/fluxninja/aperture/releases/download/v2.6.0/aperture-lua.tar.gz"
RUN tar -xzvf aperture-lua.tar.gz && luarocks make aperture-nginx-plugin-0.1.0-1.rockspec
COPY nginx_config.conf /etc/nginx/nginx.conf
ENTRYPOINT [ "nginx", "-g", "daemon off;" ]
Configure Nginx
Follow these steps to configure Nginx to use the installed Aperture Lua module:
To connect to the Aperture Agent, you need to create an environment variable called APERTURE_AGENT_ENDPOINT. The value of this variable should be set equal to the endpoint of the Aperture Agent. If you are using a bash shell, you can create this variable by running the following command:
echo 'export APERTURE_AGENT_ENDPOINT="http://aperture-agent.aperture-agent.svc.cluster.local"' >> ~/.profile
Replace the endpoint value with the actual endpoint value of the Aperture Agent if you're on a different one.
Optionally, create an environment variable
APERTURE_CHECK_TIMEOUT
, which would be considered as a timeout for execution of the Aperture check. The default value for it is500m
, which is 500 milliseconds. For example, use the following command in bash:infoThe format for the
Timeout
parameter can be found at the following link.echo 'export APERTURE_CHECK_TIMEOUT="1S"' >> ~/.profile
Add the
init_by_lua_block
section under thehttp
block of the Nginx configuration to initialize the Aperture Lua module:http {
...
init_by_lua_block {
access = require "aperture-plugin.access"
log = require "aperture-plugin.log"
headers = require "aperture-plugin.headers"
}
...
}Add the
access_by_lua_block
section under thehttp
block of the Nginx configuration to execute the Aperture check for all servers and locations before the request is forwarded to upstream:http {
...
access_by_lua_block {
local authorized_status = access(ngx.var.control_point)
if authorized_status ~= ngx.HTTP_OK then
return ngx.exit(authorized_status)
end
}
...
}Add the
header_filter_by_lua_block
section under thehttp
block of the Nginx configuration to add the headers received from Aperture check to the response being returned to the client:http {
...
header_filter_by_lua_block {
headers()
}
...
}Add the
log_by_lua_block
section under thehttp
block of the Nginx configuration to forward the OpenTelemetry logs to Aperture for all servers and locations after the response is received from upstream:http {
...
log_by_lua_block {
log()
}
...
}Aperture needs
control_point
variable for referring the service in Aperture Policy, which needs to be set from Nginxlocation
block:http {
...
server {
location /service1 {
set $control_point "service1-demo-app";
proxy_pass http://service1-demo-app.demoapp.svc.cluster.local:80/request;
}
}
...
}Below is how a complete Nginx configuration would look like:
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 4096;
}
http {
default_type application/octet-stream;
resolver 10.96.0.10;
sendfile on;
keepalive_timeout 65;
init_by_lua_block {
access = require "aperture-plugin.access"
log = require "aperture-plugin.log"
headers = require "aperture-plugin.headers"
}
access_by_lua_block {
local authorized_status = access(ngx.var.control_point)
if authorized_status ~= ngx.HTTP_OK then
return ngx.exit(authorized_status)
end
}
log_by_lua_block {
log()
}
header_filter_by_lua_block {
headers()
}
server {
listen 80;
proxy_http_version 1.1;
location /service1 {
set $control_point "service1-demo-app";
proxy_pass http://service1-demo-app.demoapp.svc.cluster.local:80/request;
}
location /service2 {
set $control_point "service2-demo-app";
proxy_pass http://service2-demo-app.demoapp.svc.cluster.local:80/request;
}
location /service3 {
set $control_point "service3-demo-app";
proxy_pass http://service3-demo-app.demoapp.svc.cluster.local:80/request;
}
}
}