moonming/a6-plugin-serverless
skills/a6-plugin-serverless/SKILL.md
Skill for configuring the Apache APISIX serverless-pre-function and serverless-post-function plugins via the a6 CLI. Covers inline Lua function execution in configurable request phases, function signature, closure patterns, available Lua APIs, and execution ordering.
tools
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add moonming/a6 a6-plugin-serverlessInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 1:09 PM334.6s1 file scanned
SKILL.md
- name:
- a6-plugin-serverless
- description:
- >-
- version:
- 1.0.0
- author:
- Apache APISIX Contributors
- license:
- Apache-2.0
- category:
- plugin
- apisix_version:
- >=3.0.0
- plugin_name:
- serverless-pre-function
a6-plugin-serverless
Overview
APISIX provides two serverless plugins that execute inline Lua functions during request processing:
serverless-pre-function— runs at the beginning of the specified phase (priority 10000, executes early).serverless-post-function— runs at the end of the specified phase (priority −2000, executes late).
Both share identical configuration. Functions are defined as Lua strings in the Admin API and compiled at load time.
When to Use
- Inject custom request/response logic without writing a full plugin
- Quick prototyping of header injection, redirects, or logging
- Add lightweight pre-processing (rewrite) or post-processing (log)
- Dynamic routing decisions based on request attributes
Plugin Configuration Reference
| Field | Type | Required | Default | Valid Values | Description |
|-------|------|----------|---------|--------------|-------------|
| phase | string | No | "access" | rewrite, access, header_filter, body_filter, log, before_proxy | Phase when functions execute |
| functions | array[string] | Yes | — | Lua function strings | Functions executed sequentially; each must return a function |
Function Signature
Since APISIX v2.6+, functions receive two arguments:
return function(conf, ctx)
-- conf: plugin configuration object
-- ctx: APISIX request context (shared across plugins)
--
-- Optional return:
-- return code, body -- exit immediately with HTTP status + body
-- return -- continue to next function / plugin
end
Rules:
- The string MUST return a function. Raw statements are rejected.
- Functions are cached via LRU cache; update the route to pick up changes.
Phase Execution Order
1. rewrite → modify request before routing
2. access → authorization / authentication checks
3. before_proxy → last chance before upstream call
4. header_filter → modify response headers
5. body_filter → modify response body (chunked via ngx.arg)
6. log → logging after response sent (read-only)
Phase Restrictions
| Phase | Can Read Request | Can Modify Request | Can Modify Response | Can Exit | |-------|------------------|--------------------|---------------------|----------| | rewrite | ✅ | ✅ | ❌ | ✅ | | access | ✅ | ✅ | ❌ | ✅ | | before_proxy | ✅ | ✅ | ❌ | ✅ | | header_filter | ✅ | ❌ | ✅ (headers) | ❌ | | body_filter | ✅ | ❌ | ✅ (body chunks) | ❌ | | log | ✅ | ❌ | ❌ | ❌ |
Step-by-Step Examples
1. Basic Logging
a6 route create -f - <<'EOF'
{
"id": "serverless-log",
"uri": "/api/*",
"plugins": {
"serverless-pre-function": {
"phase": "rewrite",
"functions": [
"return function() ngx.log(ngx.WARN, 'incoming request: ', ngx.var.uri) end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}
EOF
2. HTTP to HTTPS Redirect
a6 route create -f - <<'EOF'
{
"id": "force-https",
"uri": "/*",
"plugins": {
"serverless-pre-function": {
"phase": "rewrite",
"functions": [
"return function() if ngx.var.scheme == 'http' then ngx.header['Location'] = 'https://' .. ngx.var.host .. ngx.var.request_uri; ngx.exit(301) end end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}
EOF
3. Request Header Injection
a6 route create -f - <<'EOF'
{
"id": "inject-headers",
"uri": "/api/*",
"plugins": {
"serverless-pre-function": {
"phase": "rewrite",
"functions": [
"return function(conf, ctx) ngx.req.set_header('X-Request-ID', ngx.var.request_id); ngx.req.set_header('X-Real-IP', ngx.var.remote_addr) end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}
EOF
4. Modify Upstream URI
a6 route create -f - <<'EOF'
{
"id": "rewrite-uri",
"uri": "/legacy/*",
"plugins": {
"serverless-post-function": {
"phase": "access",
"functions": [
"return function(conf, ctx) ctx.var.upstream_uri = '/v2' .. ngx.var.uri end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}
EOF
5. Response Header Modification (header_filter phase)
a6 route create -f - <<'EOF'
{
"id": "resp-headers",
"uri": "/api/*",
"plugins": {
"serverless-post-function": {
"phase": "header_filter",
"functions": [
"return function() ngx.header['X-Processed-By'] = 'APISIX'; ngx.header['X-Response-Time'] = ngx.now() - ngx.req.start_time() end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}
EOF
6. Closure with Persistent State
a6 route create -f - <<'EOF'
{
"id": "closure-counter",
"uri": "/count",
"plugins": {
"serverless-pre-function": {
"phase": "log",
"functions": [
"local count = 0; return function() count = count + 1; ngx.log(ngx.WARN, 'request count: ', count) end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}
EOF
7. Multiple Sequential Functions
a6 route create -f - <<'EOF'
{
"id": "multi-fn",
"uri": "/api/*",
"plugins": {
"serverless-pre-function": {
"phase": "rewrite",
"functions": [
"return function() ngx.log(ngx.WARN, 'step one') end",
"return function() ngx.log(ngx.WARN, 'step two') end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}
EOF
8. Custom Authentication Guard
a6 route create -f - <<'EOF'
{
"id": "custom-auth",
"uri": "/admin/*",
"plugins": {
"serverless-pre-function": {
"phase": "access",
"functions": [
"return function() local token = ngx.var.http_authorization; if not token or token ~= 'Bearer secret123' then return 401, '{\"error\":\"unauthorized\"}' end end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}
EOF
Available Lua APIs
Core ngx APIs
-- Request
ngx.var.uri, ngx.var.request_uri, ngx.var.scheme, ngx.var.host
ngx.var.remote_addr, ngx.var.request_method, ngx.var.request_id
ngx.req.get_headers(), ngx.req.get_uri_args(), ngx.req.get_method()
ngx.req.set_header(name, value), ngx.req.read_body(), ngx.req.get_body_data()
-- Response
ngx.header["Name"] = "value"
ngx.status = 200
ngx.say(data), ngx.print(data)
ngx.exit(status), ngx.redirect(uri, status)
-- Logging
ngx.log(ngx.ERR, msg), ngx.log(ngx.WARN, msg), ngx.log(ngx.INFO, msg)
-- Utilities
ngx.time(), ngx.now(), ngx.encode_base64(str), ngx.decode_base64(str)
APISIX Context Variables
ctx.var.upstream_uri = "/new/path" -- modify upstream request URI
ctx.curr_req_matched._path -- matched route path
ctx.consumer_name -- authenticated consumer name
ctx.route_id -- current route ID
ctx.service_id -- current service ID
Available Libraries
local json = require("cjson")
local core = require("apisix.core")
local http = require("resty.http")
local lrucache = require("resty.lrucache")
Config Sync Example
version: "1"
routes:
- id: serverless-demo
uri: /api/*
plugins:
serverless-pre-function:
phase: rewrite
functions:
- "return function() ngx.req.set_header('X-Gateway', 'apisix') end"
serverless-post-function:
phase: log
functions:
- "return function() ngx.log(ngx.WARN, 'request completed') end"
upstream_id: my-upstream
Key Differences: Pre vs Post
| Feature | serverless-pre-function | serverless-post-function | |---------|------------------------|--------------------------| | Execution | Beginning of phase | End of phase | | Priority | 10000 (high — runs early) | −2000 (low — runs late) | | Typical Use | Pre-processing, auth guards | Post-processing, logging |
Troubleshooting
| Symptom | Cause | Fix |
|---------|-------|-----|
| only accept Lua function, the input code type is nil | Function string doesn't return a function | Wrap code in return function() ... end |
| failed to compile function | Syntax error in Lua code | Test code in a Lua REPL first |
| Function changes not taking effect | LRU cache holds old compiled function | Update route to trigger recompilation |
| ngx.say not working in header_filter | Phase restriction — cannot write body in header_filter | Use header_filter only for ngx.header modifications |
| No output in log phase | Log phase is read-only | Use ngx.log() instead of ngx.say() |
| Blocking I/O causes timeout | Synchronous operations in request path | Use ngx.timer.at() for async work |
Related Skills
moonming/a6-shared
tools
VerifiedTrustedCommunity
Core skill for working with the a6 CLI — the Apache APISIX command-line tool. Provides project conventions, command patterns, architecture overview, and development workflow. Load this skill when working on a6 source code, adding new commands, writing tests, or modifying any a6 component.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-multi-tenant
tools
VerifiedTrustedCommunity
Recipe skill for implementing multi-tenant API gateway patterns using the a6 CLI. Covers tenant isolation via Consumer Groups, host/path/header-based routing, per-tenant rate limiting, context forwarding with proxy-rewrite, and declarative config sync workflows for multi-tenant management.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-mtls
tools
VerifiedTrustedCommunity
Recipe skill for configuring mutual TLS (mTLS) using the a6 CLI. Covers SSL certificate management, upstream mTLS to backend services, client certificate verification, and end-to-end mTLS setup from client through APISIX to upstream.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-health-check
tools
VerifiedTrustedCommunity
Recipe skill for configuring upstream health checks using the a6 CLI. Covers active health checks (HTTP probing), passive health checks (response analysis), combining both, configuring healthy/unhealthy thresholds, and monitoring upstream node status.
SKILL.mdUpdated Apr 21, 2026