Hi.

I try to implement with haproxy 1.8 the following solution.

https://aws.amazon.com/fr/blogs/networking-and-content-delivery/serving-private-content-using-amazon-cloudfront-aws-lambdaedge/

https://www.nginx.com/blog/securing-urls-secure-link-module-nginx-plus/
https://nginx.org/en/docs/http/ngx_http_secure_link_module.html

In short.

The URL `https://host/secure/myfile?(...&)?md5=...&expires=...` should be 
validated.

```
# where engima is the password.
# Make sure you keep one space between $uri and password

secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri enigma";

if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }
```

It looks like similar to create a S3 download protection where the application
behind nginx/HAProxy create a MD5 URL which nginx/HAProxy needs to verify before
the client can download the file.

My Idea is to use something like this in haproxy but I'm not sure if haproxy
only or haproxy+lua is the way to go?


ENV SECRET=enigma

```

http-request set-var(sess.md5)     url_param(md5)
http-request set-var(sess.expires) url_param(expires)

# is there any md5 function, I haven't seen it in the doc.
acl allow -m str
%[md5(url-without-params,sess.expires,"${SECRET}"),base64,regsub(/=/,'',g),regsub(/+/,
'-',g),regsub(/\//,'_',g)] %[sess.md5]

acl expired -m int %[date(-3600)] %[sess.expires]

http-request deny deny_status 403 if ! allow ! expired
http-request deny deny_status 410 if expired  # <= this is not possible AFAIK
http-request allow if allow

```

How difficult is it to make the
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.1-base64
compliant https://tools.ietf.org/html/rfc4648#section-5

That's the code from nginx for ngx_decode_base64url.
http://hg.nginx.org/nginx/file/tip/src/core/ngx_string.c#l1228

Any opinions and thanks for help?

Best regards
Aleks

Reply via email to