Boost Your API Security and Traffic Management with OpenResty: Real‑World Practices

OpenResty, a high‑performance web platform based on Nginx and Lua, is widely adopted in production environments to enhance development efficiency while preserving Nginx’s concurrency and stability.

1.1 OpenResty Overview

OpenResty integrates a rich set of Lua libraries, third‑party modules, and dependencies, enabling the construction of ultra‑high‑concurrency, highly extensible dynamic web services and gateways. It also supports direct execution of web services within Nginx, allowing seamless handling of HTTP, MySQL, PostgreSQL, Memcached, Redis, and other backend protocols.

2.1 Interface Authentication

Background : Complex online environments expose APIs to interception, scraping, and attacks, increasing the need for robust API security.

Goal : Provide a configurable, fast‑to‑deploy authentication mechanism that secures APIs while preserving user experience across different app versions.

2.1.1 Implementation Principle

Manage API, version, and key configurations dynamically.

Load authentication data into shared memory.

Generate version‑specific keys and validate requests.

2.1.2 Precautions

Use closed‑open intervals for version ranges to avoid mismatches during version switches.

Normalize request parameters (deduplication, decoding, sorting) for GET and POST methods.

Monitor authentication metrics and alerts.

2.1.3 Processing Flow

App receives user request.

OpenResty parses request parameters (GET or POST).

Check if the app version participates in authentication.

If required parameters are missing, return an error.

Validate request timestamp.

Compute authentication key using a configured algorithm and compare with the client‑provided key.

On success, forward the request to the backend service.

local function get_version_key(version)
  -- Lua code to retrieve version key from blacklist
end

local function sig_check()
  -- Lua code to verify signature
end

2.2 Traffic Control

In multi‑IDC or multi‑availability‑zone deployments, rapid traffic isolation is needed for maintenance, fault isolation, or emergency handling.

2.2.1 Implementation Principle

Web layer manages node and IP information dynamically.

Lua initializes shared memory and loads node status.

Use set_peer_down to mark nodes as down or up, controlling traffic flow.

2.2.2 Precautions

Synchronize node status across Nginx workers via shared memory.

Monitor node status to ensure successful state changes.

Set expiration for down status to avoid forgetting to restore traffic.

2.2.3 Processing Flow

Operators can mark specific upstream nodes or IP ranges as down/up, and the changes take effect immediately across all workers.

2.3 Request Logging

A logging pipeline filters and records user requests, storing them in Elasticsearch for analysis.

2.3.1 Implementation Principle

Web layer maintains a CID whitelist to filter logs.

Lua filter captures request bodies up to a configurable size.

Batch processor aggregates logs and writes them to ES with configurable batch size, timeout, and retry policy.

local _M = {}
_M.conf = {
  dict = ngx.shared.logger_dict,
  elasticsearch_index = "****",
  endpoint_addr = "ES address",
  batch_max_size = 1000,
  inactive_timeout = 10
}
return _M

2.3.2 Precautions

Batch writes to avoid per‑request ES operations.

Set processing timeout to ensure logs are flushed promptly.

2.3.3 Processing Flow

Requests pass through a body filter that buffers up to 50 KB, then a logger writes batches to ES, handling retries and alerts on failures.

local max_size = 51200
local body = string.sub(ngx.arg[1], 1, max_size)
ngx.ctx.resp_buffered = (ngx.ctx.resp_buffered or "") .. body
if ngx.arg[2] then
  ngx.var.resp_body = ngx.ctx.resp_buffered
end

Conclusion

The article demonstrates practical use of Lua‑based OpenResty tools for API authentication, traffic control, and request logging in production. By leveraging shared memory, dynamic configuration, and batch processing, operators can build efficient, low‑impact utilities that improve service reliability and operational productivity.

References:

OpenResty documentation: http://openresty.org/cn/nginx.html

lua‑nginx‑module: https://github.com/openresty/lua-nginx-module

ngx.req.get_uri_args: https://github.com/openresty/lua-nginx-module#ngxreqget_uri_args

ngx.req.get_post_args: https://github.com/openresty/lua-nginx-module#ngxreqget_post_args

lua‑upstream‑nginx‑module: https://github.com/openresty/lua-upstream-nginx-module

set_peer_down API: https://github.com/openresty/lua-upstream-nginx-module#set_peer_down

lua‑resty‑elasticsearch: https://github.com/midoks/lua-resty-elasticsearch

lua‑resty‑http: https://github.com/ledgetech/lua-resty-http