Is lua-resty-openssl-aux-module still required to run lua-resty-openssl in production?
Closed this issue · 3 comments
We are using official OpenResty Docker images as base, e.g. openresty/openresty:1.19.9.1-1-alpine-fat
and installing pgmoon
into it
luarocks install pgmoon
in order to access Postgres.
After upgrading the Postgres from 12.x to 14.x we ran into
[error] 216#216: *1 lua entry thread aborted: runtime error: /usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:397: module 'resty.openssl.ssl' not found:
no field package.preload['resty.openssl.ssl']
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.ljbc'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.ljbc'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.ljbc'
no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.ljbc'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.lua'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.lua'
no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.ljbc'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.ljbc'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.ljbc'
no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.ljbc'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.lua'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.lua'
no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.lua'
no file './resty/openssl/ssl.lua'
no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/resty/openssl/ssl.lua'
no file '/usr/local/share/lua/5.1/resty/openssl/ssl.lua'
no file '/usr/local/share/lua/5.1/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/resty/openssl/ssl.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.so'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.so'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.so'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.so'
no file './resty/openssl/ssl.so'
no file '/usr/local/lib/lua/5.1/resty/openssl/ssl.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/openssl/ssl.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/openssl/ssl.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
stack traceback:
coroutine 0:
[C]: in function 'require'
/usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:397: in function 'auth'
/usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:268: in function 'connect'
and OpenResty couldn't connect to Postgres anymore.
The fix was to add lua-resty-openssl
luarocks install lua-resty-openssl
Now the connection works, but we are getting following warnings
[lua] nginx.lua:260: get_ngx_ssl_from_socket_ctx(): note resty.openssl.auxiliary.nginx is using plain FFI and it's only intended to be used in development, consider using lua-resty-openssl.aux-module in production.
It looks like we need to install https://github.com/fffonion/lua-resty-openssl-aux-module
But, as far as I understand it, we would need to build OpenResty from source to do so.
Is lua-resty-openssl-aux-module
still required to run in production?
What are the drawbacks running lua-resty-openssl
in production without lua-resty-openssl-aux-module
?
Is there a way to add lua-resty-openssl-aux-module
to the official OpenResty Docker image without building from source?
Thanks!
Hi @wkruse, the lua-resty-openssl-aux-module uses a compile-time calculated offset to get SSL objects, so it can never go wrong. Without that, we are using a pre-defined offset calcuclated during run-time, it will just work with a official OpenResty build (as tested in CI), but may not work if you patched it, or build from Nginx and not applying all OpenResty patches etc; and with that happens, the outcome could be a segfault.
If you are just testing out, or you are using the official openresty bundle, use it without the aux-module is fine. Alternatives are:
- Build the openresty binary again, with the aux-module included, as you suggested
- Use the source tarball with same version from openresty, build the aux-module as dynamic module, use it with official binary.
- Use other openssl bindings like luaossl.
Specially to your use case after upgrading the Postgres from 12.x to 14.x
, it's because postgres 14 by default switch to scram-sha-256 auth, which scheme pgmoon requires the lua-resty-openssl module to support. So the other way if you just want it to work as old times, is to tell postgres to go back to md5
and pgmoon won't require lua-resty-openssl to connect.
But do note postgres introducing scram-sha-256 for better security, so you might need to audit carefully the risk.