
Crazy cool nginx.conf scripting and modules. - labria
http://agentzh.org/misc/slides/nginx-conf-scripting/nginx-conf-scripting.html
======
simonw
Well worth navigating through - it just gets nuttier and nuttier. I certainly
didn't know you could execute SQL queries against Drizzle from within your
nginx.conf, parameterise them based on the query string, hash them to
different backend shards and format the results as JSON...

~~~
EvilTrout
Agreed, that's the point where my mind was blown.

------
sync
In case it isn't clear to some folks (like me), this is a slideshow: left and
right arrows to navigate.

~~~
nzmsv
If you put your mouse exactly at the top of the page, a toolbar pops up. But
this took me a long time to discover, and I kept using the arrow keys.

~~~
agentzh
Sorry for the confusion...I should have added a tip in my tweet.

------
pak
Whoa, nginx can do a hell of a lot via conf scripting. You could build a semi-
decent REST interface to a data source using the modules in this
presentation...

~~~
agentzh
One can do a full-decent REST interface when ngx_lua is ready ;)

------
nzmsv
I actually tried putting a website together in a similar fashion a while back.
All the hacks quickly got difficult to maintain, and the code was ugly. I was
too ashamed of what I've created to share it with the world. Now I see someone
actually built up that courage :)

~~~
agentzh
I do understand the risk. And we've been trying pretty hard to keep things
clean :)

------
AdamGibbins
This site design is totally unusable on android devices, I cannot workout how
to change slides.

~~~
agentzh
Sorry about that...but arrow keys on your keyboard doesn't work for you?

------
tlrobinson
Not to nitpick, but I feel the need to point out that the "REST interface to
memcache server" isn't really REST, since it's issuing non-idempotent commands
using GET requests, with the command type and resource specified in the query
string.

Also, "Native support for cross-site scripting (XSS) in an nginx"
(<http://github.com/agentzh/xss-nginx-module>)... I don't think XSS means what
they think it means. Hint: it's not a feature.
<http://en.wikipedia.org/wiki/Cross-site_scripting>

Still pretty cool though :)

~~~
dedward
XSS seems as good a definition as any - everyone's calling it lots of things,
JSONP or AJAST or whatever - but setting up data feeds inside javascript
function calls specifically to do ajax-Y stuff but getting around the cross-
site security model built into xmlhttprequest.

~~~
tlrobinson
But XSS already has a different specific meaning. Granted it's a confusing
definition for exactly this reason, but it's well established to mean a
security vulnerability where an attacker can inject JavaScript into users
pages thereby stealing their session cookies, etc. It has nothing to do with
cross-domain requests.

------
jgarcia
OH NO! Register Globals comes back!
<http://php.net/manual/security.globals.php>

------
dylanz
I've worked with agentzh before, and he is extremely knowledgeable and
friendly. He's an amazing asset to the Nginx project!

------
growt
I wonder how vulnerable this setup is to sql-injection attacks and similar
stuff.

~~~
agentzh
Haven't you seen the set_quote_sql_str directive used in my slides?

------
tigerthink
Why would you do this? Use a proper web framework!

~~~
dylanz
The examples are there to show you what you can do from a flexible piece of
software like Nginx. It could have nothing to do with the web tier.

~~~
MWinther
Still, it would be interesting with connections to real-life applications. I
was hoping to figure out a few practical ways of using more of my nginx spare
cycles. I'm sure there's a ton of cool stuff one could actually use this for,
but I'm none the wiser after the presentation.

~~~
agentzh
I must add that, the stuffs shown in these slides are just our "level 1
scripting". There will be level 2 and level 3, so as to support more
sophisticated business logic in our data platform.

Level 2 will be ngx_lua scripting which provides Erlang-style transparent non-
blocking I/O support and access to the whole nginx infrastructure and all the
level 1 scripting goodies.

Level 3 will be...well...Perl 6, JavaScript, and PHP scripting atop the
ngx_lua VM (by the corresponding X -> Lua compiler). _grin_ We'll eventually
get there.

