Blog

OpenResty and Lua: dynamic Access-Control-* rules without reloading nginx

Lua can look up tenant allowlists in Redis and set CORS headers per request—useful for multi-tenant APIs behind one hostname.

Published: 2026-02-02Updated: 2026-02-051 min read

openrestynginxluacors

Implementation sketch

Run the access_by_lua phase after TLS termination so you know the true Host and optional client cert fingerprint.

Return 403 for disallowed origins instead of omitting CORS headers silently—easier to debug client misconfiguration.

Share LuaJIT bytecode across workers; avoid per-request string concatenation for large Allow-Headers lists.

Coalesce Redis round-trips when the same origin hits OPTIONS and GET in parallel.