HttpSecureLinkModule Q?

Sven 'Darkman' Michels sven at darkman.de
Wed Dec 22 10:12:52 MSK 2010 

Hi,

may i suggest to do it like mod_secdownload from lighttpd? Instead of re-inventing
the wheel you would also have compatibility which could/would make it easier to
switch.

The URL are in form of:
$prefix/$hash/$timestamp/$path/to/file

$prefix can be anything to seperate different secret areas
$hash is a md5hash from $secret$file$timestamp
$timestamp is a unixtimestamp in hex
$path/to/file is the complete path with file you want to request

On the server side you have to set variables like the expiration time, the secret
and maybe the "real" path per location if you not want to have the files stored
inside root to be sure that it cannot be requested by accident.

On the Serverside you would have to do the following:
parse the url for $prefix/$hash/$timestamp/$path/to/file, convert the timestamp
from hex back to unixtime and check if $unixtimestamp+$timeout < $timenow,
otherwise return 410 (gone). If not, check if provided md5hash matches local
generated hash with $secret$file$timestamp where $timestamp is used from the
requst (since this provides you the timestamp when the url was generated).

This would make clear urls (no uuencoding etc.), having expiration time, and
compatibility to "other well known solution". Having lighty beside nginx would
be no problem and you could use well known code / modules for other cms systems
etc. which already support mod_secdownload.

But thats just my 2 cents...

Regards,
Sven

Am 22.12.2010 07:56, schrieb Weibin Yao:
> António P. P. Almeida at 2010-12-22 13:53 wrote:
>> I've updated the Wiki:
>> http://wiki.nginx.org/HttpSecureLinkModule#For_Nginx_version_.E2.89.A5_0.8.50_-_better_handling_of_the_MD5_hash_and_adding_expiration_time
>>
>> based on the discussion on this thread. Please verify it.
>>   
> I think you should add the expiration time in another argument like this:
> http://example.com/p/file/top_secret.pdf?st=vXjVzvGW4363YG1I6vb11A&e=13245277231161
> 
> It seems that the new secure link module(above Nginx-0.8.50) uses the raw binary
> format MD5 instead. And the php CLI is like this:
> php -r 'print  str_replace("=", "",
> strtr(base64_encode(md5("segredo/p/files/top_secret.pdf13245277231161", true)),
> "+/", "-_")) . "\n";'
> 
> And the configuration (have not tested yet):
> 
> location /p/ {
>    secure_link $arg_st,$arg_e; # this must match the URI part related to the MD5
> hash and expiration
>    secure_link_md5 segredo$uri$arg_e; # this is how the MD5 hash is built from a
> secret token and an URI
> 
>    ## If the hash is incorrect then $secure_link is a null string.
>    if ($secure_link = "") {
>        return 403;
>    }
> 
>    ## The current local time is greater than the specified expiration time.
>    if ($secure_link = "0") {
>        return 403;
>    }
> 
>    ## If everything is ok $secure_link is 1.
>    ## This needs to be here otherwise you'll get a 404.
>    rewrite ^/p/(.*)$ /p/$1 break;
> }
>> Thanks,
>> --- appa
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://nginx.org/mailman/listinfo/nginx
>>
>>   
> 
>

More information about the nginx mailing list