You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Nginx HMAC secure link module enhances the security and functionality of the standard secure link module.
8
+
Secure token is created using secure HMAC construction with an arbitrary hash algorithm supported by OpenSSL, e.g., `md5`, `sha1`, `sha256`, `sha512`. Furthermore, secure token is created as described in RFC2104, that is, `H(secret_key XOR opad,H(secret_key XOR ipad, message))` instead of a simple `MD5(secret_key,message, expire)`.
15
9
16
10
Installation:
17
11
--
18
12
19
-
You'll need to re-compile Nginx from source to include this module.
20
-
Modify your compile of Nginx by adding the following directive
21
-
(modified to suit your path of course):
13
+
You'll need to re-compile Nginx from source to include this module.
14
+
Modify your compile of Nginx by adding the following directive (modified to suit your path of course):
Message to be hashed is defined by secure_link_hmac_message, secret_key
31
-
is given by secure_link_hmac_secret, and hashing algorithm H is defined
32
-
by secure_link_hmac_algorithm. For improved security the timestamp in
33
-
ISO 8601 format should be appended to the message to be hashed.
23
+
Message to be hashed is defined by `secure_link_hmac_message`, `secret_key` is given by `secure_link_hmac_secret`, and hashing algorithm H is defined by `secure_link_hmac_algorithm`.
34
24
35
-
It is possible to create links with limited lifetime. This is defined by
36
-
an optional parameter. If the expiration period is zero or it is not specified,
37
-
a link has the unlimited lifetime.
25
+
For improved security the timestamp in ISO 8601 format should be appended to the message to be hashed.
26
+
27
+
It is possible to create links with limited lifetime. This is defined by an optional parameter. If the expiration period is zero or it is not specified, a link has the unlimited lifetime.
38
28
39
29
Configuration example for server side.
40
30
31
+
```nginx
41
32
location ^~ /files/ {
42
-
43
33
# Variable to be passed are secure token, timestamp, expiration period (optional)
44
34
secure_link $arg_st,$arg_ts,$arg_e;
45
35
@@ -64,12 +54,13 @@ location ^~ /files/ {
64
54
65
55
rewrite ^/files/(.*)$ /files/$1 break;
66
56
}
57
+
```
67
58
68
-
Application side should use a standard hash_hmac function to generate hash, which
69
-
then needs to be base64url encoded. Example in Perl below.
59
+
Application side should use a standard hash_hmac function to generate hash, which then needs to be base64url encoded. Example in Perl below.
70
60
71
-
# Variable $data contains secure token, timestamp in ISO 8601 format, and expiration
72
-
# period in seconds
61
+
#### Variable $data contains secure token, timestamp in ISO 8601 format, and expiration period in seconds
It is also possible to use this module with a Nginx acting as proxy server.
109
102
110
-
The string to be signed is defined in secure_link_hmac_message, the secure_link_token
111
-
variable contains then a secure token to be passed to backend server.
103
+
The string to be signed is defined in `secure_link_hmac_message`, the `secure_link_token` variable contains then a secure token to be passed to backend server.
0 commit comments