Aleks,

Am 01.07.19 um 16:16 schrieb Aleksandar Lazic:
> My Idea is to use something like this in haproxy but I'm not sure if haproxy
> only or haproxy+lua is the way to go?

If you are fine with sha1 then it's theoretically possible with HAProxy
only:

>       http-request set-var(txn.sha1) url_param(sha1)
>       http-request set-var(txn.expires) url_param(expires)
>       http-request set-var(txn.expected_hash) 
> path,concat(,txn.expires,),sha1,hex
> 
>       acl hash_valid var(txn.expected_hash),strcmp(txn.sha1) -m int eq 0
>       acl expired date,sub(txn.expires) ge 0
> 
>       http-response set-header Date          %[date]
>       http-response set-header Expires       %[var(txn.expires)]
>       http-response set-header Expired       %[date,sub(txn.expires)] if  
> expired
>       http-response set-header Not-Expired   %[date,sub(txn.expires)] if 
> !expired>    http-response set-header Given-Hash    %[var(txn.sha1)]
>       http-response set-header Expected-Hash %[var(txn.expected_hash)]
>       http-response set-header Hash-Valid    true  if  hash_valid
>       http-response set-header Hash-Valid    false if !hash_valid

Inserting a secret is left as an exercise to the reader. Properly using
the two ACLs to allow or deny requests is left as an exercise as well.

NOTE OF CAUTION: The code above is vulnerable to a timing attack,
because strcmp does not perform a constant time comparison. The 'hex'
converter is not constant time either. The correct way to add the secret
would be using HMAC which is not trivial to do (there is no ready
converter), if even possible.

Best regards
Tim Düsterhus

Reply via email to