这阵子不是deepseek火么?我也折腾了下本地部署,ollama、vllm、llama.cpp都弄了下,webui也用了几个,发现nextjs-ollama-llm-ui小巧方便,挺适合个人使用的。如果放在网上供多人使用的话,得接入登录认证才好,不然所有人都能蹭玩,这个可不太妙。
我是用openresty反向代理将webui发布出去的,有好几种方案实现接入外部登录认证系统。首先是直接修改nextjs-ollama-llm-ui的源码,其实我就是这么做的,因为这样接入能将登录用户信息带入应用,可以定制页面,将用户显示在页面里,体验会更好。其次openresty是支持auth_request的,你需要编码实现几个web接口就可以了,进行简单配置即可,这种方式也很灵活,逻辑你自行编码实现。还有一种就是在openresty里使用lua来对接外部认证系统,也就是本文要介绍的内容。
在折腾的过程中,开始是想利用一些现有的轮子,结果因为偷懒反而踩了不少坑。包括但不限于openssl、session,后来一想,其实也没有多难,手搓也不复杂。
首先是这样设计的,用户的标识信息写入cookie,比如用一个叫做SID的字段,其构成为时间戳+IP,aes加密后的字符串;当用户的IP发生变化或者其他客户端伪造cookie访问,openresty可以识别出来,归类到未认证用户,跳转到认证服务器(带上回调url)。
location / {access_by_lua_block {local resty_string = require "resty.string"local resty_aes = require "resty.aes"local key = "1234567890123456" -- 16 bytes key for AES-128local iv = "1234567890123456" -- 16 bytes IV for AES-128local aes = resty_aes:new(key, nil, resty_aes.cipher(128, "cbc"), {iv=iv})local redis = require "resty.redis"local red = redis:new()red:set_timeouts(1000, 1000, 1000) -- 连接超时、发送超时、读取超时local ok, err = red:connect("127.0.0.1", 6379)if not ok thenngx.say("Failed to connect to Redis: ", err)returnendfunction get_client_ip()local headers = ngx.req.get_headers()local client_ip-- 优先从 X-Forwarded-For 获取local x_forwarded_for = headers["X-Forwarded-For"]if x_forwarded_for thenclient_ip = x_forwarded_for:match("([^,]+)")end-- 如果 X-Forwarded-For 不存在,尝试从 X-Real-IP 获取if not client_ip thenclient_ip = headers["X-Real-IP"]end-- 如果以上都不存在,回退到 remote_addrif not client_ip thenclient_ip = ngx.var.remote_addrendreturn client_ipendlocal function hex_to_bin(hex_str)-- 检查输入是否为有效的十六进制字符串if not hex_str or hex_str:len() % 2 ~= 0 thenreturn nil, "Invalid hex string: length must be even"endlocal bin_data = ""for i = 1, #hex_str, 2 do-- 每两个字符表示一个字节local byte_str = hex_str:sub(i, i + 1)-- 将十六进制字符转换为数字local byte = tonumber(byte_str, 16)if not byte thenreturn nil, "Invalid hex character: " .. byte_strend-- 将数字转换为对应的字符bin_data = bin_data .. string.char(byte)endreturn bin_dataendlocal cookies = ngx.var.http_Cookieif not cookies thenreturn ngx.redirect('https://sso.yourdomain.com/oauth2/authorize?redirect_uri=https://webapp.yourdomain.com/callback')endlocal my_cookie = ngx.re.match(cookies, "sid=([^;]+)")if not my_cookie thenreturn ngx.redirect('https://sso.yourdomain.com/oauth2/authorize?redirect_uri=https://webapp.yourdomain.com/callback')endlocal ckv=my_cookie[1]local ckvr=hex_to_bin(ckv)local decrypted = aes:decrypt(ckvr)local getip=string.sub(decrypted,12)if getip ~= get_client_ip() thenreturn ngx.redirect('https://sso.yourdomain.com/oauth2/authorize?redirect_uri=https://webapp.yourdomain.com/callback')endlocal userinfo, err = red:get(ckv)if not userinfo thenreturn ngx.redirect('https://sso.yourdomain.com/oauth2/authorize?redirect_uri=https://webapp.yourdomain.com/callback')end}proxy_pass http://127.0.0.1:3000;
}用户认证信息是存放在后端redis中,key是SID,value是认证访问返回的包含用户信息的json对象转的字符串,在认证成功后写入。在cookie设置时设定有效时长,在redis添加记录时设置有效时长。
-- callback
location /callback {content_by_lua_block {local http = require "resty.http"local httpc = http.new()-- 获取ticketlocal args = ngx.req.get_uri_args()local ticket = args.ticket-- 获取用户信息local res, err = httpc:request_uri("https://sso.yourdomain.com/oauth2/queryticket/"..ticket, {method = "POST",ssl_verify = false,headers = { ["Content-Type"] = "application/json" } })if not res thenngx.status = ngx.HTTP_INTERNAL_SERVER_ERRORngx.say("Failed to request user info: ", err)return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)endlocal cjson = require "cjson"local ok, data = pcall(cjson.decode, res.body)if not ok thenngx.status = 500ngx.say("解析 JSON 失败: ", data)returnendlocal username = data.usernamelocal json_str = cjson.encode(data)local redis = require "resty.redis"local red = redis:new()red:set_timeouts(1000, 1000, 1000) -- 连接超时、发送超时、读取超时local ok, err = red:connect("127.0.0.1", 6379)if not ok thenngx.say("Failed to connect to Redis: ", err)returnendfunction get_client_ip()local headers = ngx.req.get_headers()local client_ip-- 优先从 X-Forwarded-For 获取local x_forwarded_for = headers["X-Forwarded-For"]if x_forwarded_for thenclient_ip = x_forwarded_for:match("([^,]+)")end-- 如果 X-Forwarded-For 不存在,尝试从 X-Real-IP 获取if not client_ip thenclient_ip = headers["X-Real-IP"]end-- 如果以上都不存在,回退到 remote_addrif not client_ip thenclient_ip = ngx.var.remote_addrendreturn client_ipendlocal timestamp = os.time()local text = timestamp ..":"..get_client_ip()local resty_string = require "resty.string"local resty_aes = require "resty.aes"local key = "1234567890123456" -- 16 bytes key for AES-128local iv = "1234567890123456" -- 16 bytes IV for AES-128local aes = resty_aes:new(key, nil, resty_aes.cipher(128, "cbc"), {iv=iv})local encrypted = aes:encrypt(text)local my_value=resty_string.to_hex(encrypted)ngx.header["Set-Cookie"] = "sid=" .. my_value .. "; Path=/; Expires=" .. ngx.cookie_time(ngx.time() + 14400) .. "; HttpOnly"--local expire_time = 14400ok, err = red:set(my_value, json_str,"EX",14400)if not ok thenngx.say("Failed to set key: ", err)returnendngx.say("<html><head><meta charset=UTF-8 http-equiv=refresh content=3;url='http://webapp.yourdomain.com/'></head><body> 欢迎你 " .. username .. "</body></html>")}
}
另外可以考虑是否需要在用户注销时主动删除记录,在nginx.conf里添加logout路径,需要在相关页面中放进去才好工作,否则用户估计不会在浏览器中手工输入logout的url来注销的。下面的代码只是简单地从cookie中将sid字段置空,其实更完备的话,是先检核sid有效性,然后前端cookie和后端redis中都要做相关处理,从略了。
location /logout {content_by_lua_block {ngx.header["Set-Cookie"] = "sid=; Path=/; Expires=" .. ngx.cookie_time(ngx.time() - 3600) .. "; HttpOnly"ngx.say("已注销")}
}其实也有现成的oauth2的轮子,不过我们自己手写lua代码的话,可以更灵活的配置,对接一些非标准的web认证服务也可以的。
——查询计划相关操作符(9))
![[QT]开发全解析:从概念到实战](http://pic.xiahunao.cn/[QT]开发全解析:从概念到实战)
)
:RAG的云端优化与扩展】)
