code
Level up your NGINX sites with OpenResty
March 2020
I recently learned about a drop-in replacement for NGINX called OpenResty - it's built on NGINX with extra modules but lets you use Lua in your server and location blocks. The power really shines when you apply a few plugins like lua-resty-auto-ssl and lua-resty-openidc.
My life changed realizing I wouldn't have to fumble with another certbot command in Docker. The lua-resty-auto-ssl plugin will automatically request an SSL certificate from Let's Encrypt on the first request to your domain, within a few seconds you're facing your site with a green lock. OpenResty lets you use Lua in an access_lua_block to decide whether the domain should be allowed or not, and then fall back to the self-signed certificate set in your NGINX config. Apparently tumblr uses this for their blog subdomains!
Meanwhile, you can finally stop using basic auth to protect your internal apps, and upgrade to Keycloak or Okta. The lua-resty-openidc plugin will redirect your user to your OpenID system and process the callback, set a cookie, and even handle a /logout route all within your NGINX config and without touching your application.
It's pretty magical ✨
To spread the love I've published a docker-compose project to bootstrap an OpenResty server with a proxy to Keycloak. There's a few examples for auto-ssl, protecting by login, and protecting with a role.