|
| 1 | +Nginx HMAC Secure Link Module |
| 2 | +-- |
| 3 | + |
| 4 | +Description: |
| 5 | +-- |
| 6 | + |
| 7 | +The Nginx HMAC secure link module enhances the security and functionality |
| 8 | +of the standard secure link module. Secure token is created using secure |
| 9 | +HMAC construction with an arbitrary hash algorithm supported by OpenSSL, |
| 10 | +e.g., md5, sha1, sha256, sha512. Furthermore, secure token is created as |
| 11 | +described in RFC2104, that is, |
| 12 | +H(secret_key XOR opad,H(secret_key XOR ipad, message)) |
| 13 | +instead of a simple |
| 14 | +MD5(secret_key,message, expire). |
| 15 | + |
| 16 | +Installation: |
| 17 | +-- |
| 18 | + |
| 19 | +You'll need to re-compile Nginx from source to include this module. |
| 20 | +Modify your compile of Nginx by adding the following directive |
| 21 | +(modified to suit your path of course): |
| 22 | + |
| 23 | +./configure --with-http_ssl_module --add-module=/absolute/path/to/nginx-hmac-secure-link |
| 24 | +make |
| 25 | +make install |
| 26 | + |
| 27 | +Usage: |
| 28 | +-- |
| 29 | + |
| 30 | +Message to be hashed is defined by secure_link_hmac_message, secret_key |
| 31 | +is given by secure_link_hmac_secret, and hashing algorithm H is defined |
| 32 | +by secure_link_hmac_algorithm. The expiration timestamp can be either |
| 33 | +appended to secret key, or message to be hashed, or both. |
| 34 | + |
| 35 | +Configuration example below. |
| 36 | + |
| 37 | +location ^~ /files/ { |
| 38 | + secure_link $arg_st,$arg_e; |
| 39 | + secure_link_hmac_secret my_secret_key$arg_e; |
| 40 | + secure_link_hmac_message $uri; |
| 41 | + secure_link_hmac_algorithm sha256; |
| 42 | + |
| 43 | + if ($secure_link = "") { |
| 44 | + return 403; |
| 45 | + } |
| 46 | + |
| 47 | + if ($secure_link = "0") { |
| 48 | + return 410; |
| 49 | + } |
| 50 | + |
| 51 | + rewrite ^/files/(.$)$ /files/$1 break; |
| 52 | +} |
| 53 | + |
| 54 | +Application side should use a standard hash_hmac function to generate |
| 55 | +hash, which then needs to be base64 encoded. Example in PHP |
| 56 | + |
| 57 | + $expire = time() + 3600; |
| 58 | + $secret = "my_secret_key" . $expire; |
| 59 | + $algo = "sha256"; |
| 60 | + $path = "/files/top_secret.pdf"; |
| 61 | + $hashmac = base64_encode(hash_hmac($algo,$path,$secret,true)); |
| 62 | + $hashmac = strtr($hashmac,"+/","-_")); |
| 63 | + $hashmac = str_replace("=","",$hashmac); |
| 64 | + $host = $_SERVER['HTTP_HOST']; |
| 65 | + $loc = "https://" . $host . "/files/top_secret.pdf" . "?st=" . $hashmac . "&e=" . $expire; |
| 66 | + |
| 67 | +Contributing: |
| 68 | +-- |
| 69 | + |
| 70 | +Git source repositories: |
| 71 | +http://github.com/timo2/nginx-hmac-secure-link/tree/master |
| 72 | + |
| 73 | +Please feel free to fork the project at GitHub and submit pull requests or patches. |
0 commit comments