Hi Tim.

Am 01.07.2019 um 17:48 schrieb Tim Düsterhus:
> Aleks,
> 
> Am 01.07.19 um 16:16 schrieb Aleksandar Lazic:
>> My Idea is to use something like this in haproxy but I'm not sure if haproxy
>> only or haproxy+lua is the way to go?
> 
> If you are fine with sha1 then it's theoretically possible with HAProxy
> only:

Cool, that was fast, I will try it tommorw and keep you updated.
I love this community.

>>      http-request set-var(txn.sha1) url_param(sha1)
>>      http-request set-var(txn.expires) url_param(expires)
>>      http-request set-var(txn.expected_hash) 
>> path,concat(,txn.expires,),sha1,hex
>>
>>      acl hash_valid var(txn.expected_hash),strcmp(txn.sha1) -m int eq 0
>>      acl expired date,sub(txn.expires) ge 0
>>
>>      http-response set-header Date          %[date]
>>      http-response set-header Expires       %[var(txn.expires)]
>>      http-response set-header Expired       %[date,sub(txn.expires)] if  
>> expired
>>      http-response set-header Not-Expired   %[date,sub(txn.expires)] if 
>> !expired
>>      http-response set-header Given-Hash    %[var(txn.sha1)]
>>      http-response set-header Expected-Hash %[var(txn.expected_hash)]
>>      http-response set-header Hash-Valid    true  if  hash_valid
>>      http-response set-header Hash-Valid    false if !hash_valid
> 
> Inserting a secret is left as an exercise to the reader. Properly using
> the two ACLs to allow or deny requests is left as an exercise as well.

Yep it's a good start, many thanks.

> NOTE OF CAUTION: The code above is vulnerable to a timing attack,
> because strcmp does not perform a constant time comparison. The 'hex'
> converter is not constant time either. The correct way to add the secret
> would be using HMAC which is not trivial to do (there is no ready
> converter), if even possible.

Thank you to raise this topic, I will keep it in mind.

> Best regards
> Tim Düsterhus

Best regards
Aleks

Reply via email to