需求背景：

想着搭建一个视频点播服务器，最后选择了nginx+vod的方案，用lua脚本写拉流鉴权，但是环境搭建过程中又发现nginx++vod+lua的环境并不是很容易搭建，是nginx+lua的环境，手动搭建比较麻烦，但还是实现了，还有另一种方案是可以用openresty（nginx+lua）+ vod的方案，因为openresty已经帮你包含了nginx和lua的环境，但是还不包含vod这个点播模块，只需自己add-module vod就可以了

注意本文章介绍的点播lua鉴权，只做了m3u8文件的鉴权，并未对ts文件的鉴权，简单的判断是否带token的鉴权，至于token的设计，还需自己配置，

本文主要介绍了环境的搭建，鉴权流程的分析，重在流程，最后会在文中附上安装脚本和nginx.conf的整个配置文件

方案一 nginx+vod+lua

配置服务器DNS：

echo "nameserver 114.114.114.114" >> /etc/resolv.conf

安装网路工具

yum install wget ntpdate git -y 

安装编译工具及依赖库

yum install -y gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel -y

同步服务器时间

ntpdate ntp.aliyun.com
timedatectl set-timezone Asia/Shanghai

创建点播服务器的安装目录

我这里安装到了/usr/cloudland/nginx的目录下

mkdir -p /usr/cloudland/nginx
export NGINX_INSTALL_PATH=/usr/cloudland/nginx

下载配置安装lua解释器LuaJIT

wget -c http://luajit.org/download/LuaJIT-2.0.4.tar.gz
tar xzvf LuaJIT-2.0.4.tar.gz
cd LuaJIT-2.0.4
make install PREFIX=$NGINX_INSTALL_PATH/luajit
export LUAJIT_LIB=$NGINX_INSTALL_PATH/luajit/lib
export LUAJIT_INC=$NGINX_INSTALL_PATH/luajit/include/luajit-2.0
cd -

注意上面的两个export命令，配置lua解释器的环境变量

下载nginx NDK（ngx_devel_kit）扩展模块

wget -c http://luajit.org/download/LuaJIT-2.0.4.tar.gz
tar -xzvf v0.3.0.tar.gz

下载lua-nginx-module

wget https://github.com/openresty/lua-nginx-module/archive/v0.10.9rc7.tar.gz
tar -xzvf v0.10.9rc7.tar.gz

下载安装lua-resty-http模块（lua的库，实现http功能的一些库）

wget https://github.com/ledgetech/lua-resty-http/archive/refs/tags/v0.16.1.tar.gz
tar -zxvf v0.16.1.tar.gz
cp -r lua-resty-http-0.16.1/lib/resty/ $NGINX_INSTALL_PATH/luajit/lib/lua/5.1/
cp -r lua-resty-http-0.16.1/lib/resty/ $NGINX_INSTALL_PATH/luajit/share/lua/5.1/

注意NGINX_INSTALL_PATH换成自己nginx的安装路径即可，上面的两个cp的命令，这个是解决resty-http找不到的问题

下载安装lua-cjson模块(lua的库，为lua提供json相关功能)

wget https://github.com/openresty/lua-cjson/archive/refs/tags/2.1.0.9.tar.gz
tar -zxvf 2.1.0.9.tar.gz
cd lua-cjson-2.1.0.9
make LUA_VERSION=5.1 PREFIX=$NGINX_INSTALL_PATH/luajit/ LUA_INCLUDE_DIR=$NGINX_INSTALL_PATH/luajit/include/luajit-2.0/
make LUA_VERSION=5.1 PREFIX=$NGINX_INSTALL_PATH/luajit/ LUA_INCLUDE_DIR=$NGINX_INSTALL_PATH/luajit/include/luajit-2.0/ install
cd -

注意上面的make参数，指定的安装路径及头文件，解决的是找不到lua-cjson相关库的问题

下载nginx-vod模块

这个模块是为nginx实现点播功能的

wget https://github.com/kaltura/nginx-vod-module/archive/refs/tags/1.28.tar.gz
tar -zxvf 1.28.tar.gz

下载配置安装nginx

wget https://nginx.org/download/nginx-1.20.1.tar.gz
tar -xzvf nginx-1.20.1.tar.gz
cd nginx-1.20.1
./configure --prefix=/usr/cloudland/nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --add-module=../lua-nginx-module-0.10.9rc7 --add-module=../ngx_devel_kit-0.3.0 --add-module=../nginx-vod-module-1.28/
make
make install

将luajia相关库加载一下

echo "$NGINX_INSTALL_PATH/luajit/lib" > /etc/ld.so.conf.d/usr_local_lib.conf
ldconfig

修改nginx配置文件nginx.conf

有两处修改

修改处一：

init_by_lua_block {cjson = require "cjson";http = require "resty.http";}

添加位置：

修改处二：

 location /vod {rewrite_by_lua_block {-- local cjson = require "cjson"-- local http = require "resty.http"local httpc = http.new()local ngx = ngxlocal headers = ngx.req.get_headers()local extension = ngx.var.request_uri:match(".+%.(%w+)$")local token = headers["token"]local request_method = ngx.var.request_methodlocal args = nilif "GET" == request_method thenargs = ngx.req.get_uri_args()elseif "POST" == request_method thenngx.req.read_body()args = ngx.req.get_post_args()endif extension == 'm3u8' thentoken = args["token"];if not token thenngx.header['Content-Type'] = 'text/plain; charset=utf-8';ngx.status = ngx.HTTP_FORBIDDENngx.say("Nil token,Not Privileged To Play")-- ngx.say(ngx.var.request_uri);-- ngx.say(extension);ngx.exit(200)end-- 要实现token鉴权的服务，header和参数已经实现，根据实际需要选择-- 可以将URL发送给一个golang服务，用golang服务来做具体鉴权local url = "http://172.20.0.95:11985/api/rest/v1/vod/check";local res, err = httpc:request_uri(url, {method="GET", headers={["token"]=token}})if not res thenngx.header['Content-Type'] = 'text/plain; charset=utf-8';ngx.say(cjson.encode({message = "Error getting response",status = ngx.HTTP_INTERNAL_SERVER_ERROR }));ngx.exit(200)endif res.body == '0' thenngx.header['Content-Type'] = 'text/plain; charset=utf-8';ngx.say("Valid token,Not Privileged To Play.");ngx.exit(200)endend}vod hls; # 协议使用hls模式vod_mode local; # 访问模式指定为local模式vod_align_segments_to_key_frames on; # 每个切片以关键帧开头vod_manifest_segment_durations_mode accurate; # 精确显示每个切片的长度root /media;#alias /media; # 视频文件路径#proxy_pass http://172.0.0.74:80/lua;}

添加位置：

整个nginx.conf文件的配置

#user  nobody;
worker_processes  1;error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;#pid        logs/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  logs/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;init_by_lua_block {cjson = require "cjson";http = require "resty.http";}server {listen       80;server_name  localhost;#charset koi8-r;#access_log  logs/host.access.log  main;location / {root   html;index  index.html index.htm;}location /lua {default_type 'text/plain';content_by_lua 'ngx.say("hello, lua for vod")';}location /vod {rewrite_by_lua_block {-- local cjson = require "cjson"-- local http = require "resty.http"local httpc = http.new()local ngx = ngxlocal headers = ngx.req.get_headers()local extension = ngx.var.request_uri:match(".+%.(%w+)$")local token = headers["token"]local request_method = ngx.var.request_methodlocal args = nilif "GET" == request_method thenargs = ngx.req.get_uri_args()elseif "POST" == request_method thenngx.req.read_body()args = ngx.req.get_post_args()endif extension == 'm3u8' thentoken = args["token"];if not token thenngx.header['Content-Type'] = 'text/plain; charset=utf-8';ngx.status = ngx.HTTP_FORBIDDENngx.say("Nil token,Not Privileged To Play")-- ngx.say(ngx.var.request_uri);-- ngx.say(extension);ngx.exit(200)end-- 要实现token鉴权的服务，header和参数已经实现，根据实际需要选择-- 可以将URL发送给一个golang服务，用golang服务来做具体鉴权local url = "http://172.20.0.95:11985/api/rest/v1/vod/check";local res, err = httpc:request_uri(url, {method="GET", headers={["token"]=token}})if not res then ngx.header['Content-Type'] = 'text/plain; charset=utf-8';ngx.say(cjson.encode({message = "Error getting response",status = ngx.HTTP_INTERNAL_SERVER_ERROR }));ngx.exit(200)endif res.body == '0' thenngx.header['Content-Type'] = 'text/plain; charset=utf-8';ngx.say("Valid token,Not Privileged To Play.");ngx.exit(200)endend}vod hls; # 协议使用hls模式vod_mode local; # 访问模式指定为local模式vod_align_segments_to_key_frames on; # 每个切片以关键帧开头vod_manifest_segment_durations_mode accurate; # 精确显示每个切片的长度root /media;#alias /media; # 视频文件路径#proxy_pass http://172.0.0.74:80/lua;}#error_page  404              /404.html;# redirect server error pages to the static page /50x.html#error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}# proxy the PHP scripts to Apache listening on 127.0.0.1:80##location ~ \.php$ {#    proxy_pass   http://127.0.0.1;#}# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000##location ~ \.php$ {#    root           html;#    fastcgi_pass   127.0.0.1:9000;#    fastcgi_index  index.php;#    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;#    include        fastcgi_params;#}# deny access to .htaccess files, if Apache's document root# concurs with nginx's one##location ~ /\.ht {#    deny  all;#}}# another virtual host using mix of IP-, name-, and port-based configuration##server {#    listen       8000;#    listen       somename:8080;#    server_name  somename  alias  another.alias;#    location / {#        root   html;#        index  index.html index.htm;#    }#}# HTTPS server##server {#    listen       443 ssl;#    server_name  localhost;#    ssl_certificate      cert.pem;#    ssl_certificate_key  cert.key;#    ssl_session_cache    shared:SSL:1m;#    ssl_session_timeout  5m;#    ssl_ciphers  HIGH:!aNULL:!MD5;#    ssl_prefer_server_ciphers  on;#    location / {#        root   html;#        index  index.html index.htm;#    }#}}

将上述nginx.conf修改到/usr/cloudland/nginx.conf

启动nginx

cd /usr/cloudland/nginx/
./sbin/nginx -p $PWD -c conf/nginx.conf

结果验证：

在验证之前最后关闭防火墙

关闭防火墙：

systemctl stop firewalld

随便拷贝一个视频到/media/vod目录下

用浏览器打开http://172.24.0.74/vod/720p-test.mp4/index.m3u8

上述不带token的结果

用浏览器打开带token的URLhttp://172.24.0.74/vod/720p-test.mp4/index.m3u8

发现会允许下载index.m3u8文件

用VLC打开带token的URL发现视频可以播放

整个环境搭建的脚本：

#!/bin/sh
NGINX_INSTALL_PATH=/usr/cloudland/nginx
echo "nameserver 114.114.114.114" >> /etc/resolv.confyum install wget ntpdate git -yyum install -y gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel -yntpdate ntp.aliyun.comtimedatectl set-timezone Asia/Shanghai# LuaJIT
if [ ! -f LuaJIT-2.0.4.tar.gz ]; thenwget -c http://luajit.org/download/LuaJIT-2.0.4.tar.gz
fi
tar xzvf LuaJIT-2.0.4.tar.gz
cd LuaJIT-2.0.4
make install PREFIX=$NGINX_INSTALL_PATH/luajit
export LUAJIT_LIB=$NGINX_INSTALL_PATH/luajit/lib
export LUAJIT_INC=$NGINX_INSTALL_PATH/luajit/include/luajit-2.0
cd -#ngx_devel_kit
if [ ! -f v0.3.0.tar.gz ]; thenwget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
fi
tar -xzvf v0.3.0.tar.gz#lua-nginx-module
if [ ! -f v0.10.9rc7.tar.gz ]; thenwget https://github.com/openresty/lua-nginx-module/archive/v0.10.9rc7.tar.gz
fi
tar -xzvf v0.10.9rc7.tar.gz#lua-resty-http
if [ ! -f v0.16.1.tar.gz ]; thenwget https://github.com/ledgetech/lua-resty-http/archive/refs/tags/v0.16.1.tar.gz
fi
tar -zxvf v0.16.1.tar.gz
cp -r lua-resty-http-0.16.1/lib/resty/ $NGINX_INSTALL_PATH/luajit/lib/lua/5.1/
cp -r lua-resty-http-0.16.1/lib/resty/ $NGINX_INSTALL_PATH/luajit/share/lua/5.1/ #lua-cjson
if [ ! -f 2.1.0.9.tar.gz ]; thenwget https://github.com/openresty/lua-cjson/archive/refs/tags/2.1.0.9.tar.gz
fi
tar -zxvf 2.1.0.9.tar.gz
cd lua-cjson-2.1.0.9
make LUA_VERSION=5.1 PREFIX=$NGINX_INSTALL_PATH/luajit/ LUA_INCLUDE_DIR=$NGINX_INSTALL_PATH/luajit/include/luajit-2.0/
make LUA_VERSION=5.1 PREFIX=$NGINX_INSTALL_PATH/luajit/ LUA_INCLUDE_DIR=$NGINX_INSTALL_PATH/luajit/include/luajit-2.0/ install
cd -# vod module
if [ ! -f 1.28.tar.gz ]; thenwget https://github.com/kaltura/nginx-vod-module/archive/refs/tags/1.28.tar.gz
fi
tar -zxvf 1.28.tar.gz# nginx
if [ ! -f nginx-1.20.1.tar.gz ]; thenwget https://nginx.org/download/nginx-1.20.1.tar.gz
fi
tar -xzvf nginx-1.20.1.tar.gz
cd nginx-1.20.1./configure --prefix=$NGINX_INSTALL_PATH --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --add-module=../lua-nginx-module-0.10.9rc7 --add-module=../ngx_devel_kit-0.3.0 --add-module=../nginx-vod-module-1.28/
make
make install
cd -echo "$NGINX_INSTALL_PATH/luajit/lib" > /etc/ld.so.conf.d/usr_local_lib.conf
ldconfig\cp ./nginx.conf $NGINX_INSTALL_PATH/confcd $NGINX_INSTALL_PATH$NGINX_INSTALL_PATH/sbin/nginx -p $NGINX_INSTALL_PATH -c $NGINX_INSTALL_PATH/conf/nginx.conf