Can I update domain_whitelist dynamically?

[kajmagnus]

Can I add domains to domain_whitelist without restarting OpenResty or reloading the config?

I'm new to Lua but maybe since domain_whitelist is a "metatable", one can define an __index() function: (see http://lua-users.org/wiki/MetatableEvents )

__index - Control 'prototype' inheritance. When accessing "myTable[key]" and the key does not appear in the table, but the metatable has an __index property:
if the value is a function, the function is called, passing in the table and the key; the return value of that function is returned as the result

Could such an __index function use lua-resty-http and ask my app server if the new domain is allowed? Sth like:

domain_whitelist = setmetatable({}, { __index = function(_, k)
    return  lua-resty-http.askMyAppServerIfDomainAllowed(k)
end}),

***

The other project, lua-resty-autossl, has an allow-domain() callback, and apparently one can query Redis dynamically from it:

When using the Redis storage adapter, you can access the current Redis connection inside the allow_domain callback by accessing auto_ssl.storage.adapter:get_connection().

https://github.com/auto-ssl/lua-resty-auto-ssl#allow_domain

[fffonion]

Hi @kajmagnus, yes you can definitely use the lua-resty-http in __index method since it's called inside a timer.

Adding a callback hook is a good syntax sugar feature, for now I guess you can get pretty much the same by just putting it into __index. Similarly you can also get the storage backend using require("resty.acme.autossl").storage.

[kajmagnus]

@fffonion ok thanks, sounds good.

(Personally I'm guessing people would be fine with __index, if there was just some docs mentioning that one can call Redis, or the app server, from __index, and sample code about how to use it. I could reply here with some sample code, if I implement such an __index function in the future — maybe in two or three months. )

A timer — that's Kong's lua-resty-timer, I'm guessing (?), i.e. extra timer functionality based on https://github.com/openresty/lua-nginx-module#ngxtimerat .

[fffonion]

Yeah i'll add a note in the readme on that.

Actually I made a mistake here, checking domain in the whitelist in run in the ssl_certificate_by context. But you can still use cosocket API i.e. doing network operations.

[kajmagnus]

@fffonion Wow that was fast :- )

From the new docs:

Do note that this will increase the SSL handshake latency

Is that for each connection, always, or just the very first connection when the HTTPS cert doesn't yet exist, and gets created?

[fffonion]

It's for each connection, always. Since we rely on that whitelist to decide "whether i'm going to serve certificate (or order a new one) for this domain".

But you can make it smarter by adding some cache for example.

[fffonion]

This is implemented as domain_whitelist_callback and will be available in next release : )