Search code examples
luagatewaykongkong-plugin

I cannot use lua resty.http on Kong pre-function plugin

I need to make a external security request before any request on my Kong Gateway.

To do that, I used the plugin Kong Functions (Pre-Plugins), which allows me to execute lua scripts before any request.

Script:

local http = require "resty.http"

-- Pega o valor do header 'token' da requisição
local token = kong.request.get_header("token")

-- Verifica se o header 'token' foi encontrado
if not token then
    ngx.log(ngx.ERR, "token not found in request headers")
    ngx.exit(ngx.HTTP_BAD_REQUEST)
end

-- Configuração da requisição HTTP
local httpc = http.new()
local res, err = httpc:request_uri("my_request_url", {
    method = "GET",
    headers = {
        ["token"] = token
    },
    ssl_verify = false
})

-- Verifica se houve algum erro na requisição
if not res then
    ngx.log(ngx.ERR, "failed to request token validation: ", err)
    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end

-- Verifica se a validação do token falhou
if res.status ~= 200 then
    ngx.log(ngx.ERR, "token validation failed with status code: ", res.status)
    ngx.exit(ngx.HTTP_UNAUTHORIZED)
end

But I´m receiving this error:

init.lua:386 [pre-function] /usr/local/share/lua/5.1/kong/tools/kong-lua-sandbox.lua:171: /usr/local/share/lua/5.1/kong/tools/sandbox.lua:88: require 'resty.http' not allowed within sandbox,

I tried to add an env on my container:

  - name: KONG_LUA_SANDBOX_GLOBALS
    value: "package.loaded['resty.http'] = require 'resty.http'"

But I keep receiving the same error, even after restarting the container, I really don't know what to do next.

Solution

  • I'm intrigued by this configuration:

    I tryed to add an env on my container:

    • name: KONG_LUA_SANDBOX_GLOBALS
      value: "package.loaded['resty.http'] = require 'resty.http'"

    I don't know any configuration named lua_sandbox_globals. Do you mean untrusted_lua_sandbox_requires?

    By default Kong's serverless plugin disallow any require statement to be run, you can use the untrusted_lua_sandbox_requires to require the module without taking Kong out of sandbox mode.

    If you want to add resty.http to the list of allowed package to be load. Set the module name as the value of the environment variable should be enough:

    name: KONG_UNTRUSTED_LUA_SANDBOX_REQUIRES
value: resty.http