The concat isn't available in 1.8 any substitution?
Mon Jul 01 17:56:56 GMT+02:00 2019 Aleksandar Lazic <al-hapr...@none.at>: > Hi Tim. > > Am 01.07.2019 um 17:48 schrieb Tim Düsterhus: > > Aleks, > > > > Am 01.07.19 um 16:16 schrieb Aleksandar Lazic: > >> My Idea is to use something like this in haproxy but I'm not sure if > >> haproxy > >> only or haproxy+lua is the way to go? > > > > If you are fine with sha1 then it's theoretically possible with HAProxy > > only: > > Cool, that was fast, I will try it tommorw and keep you updated. > I love this community. > > >> http-request set-var(txn.sha1) url_param(sha1) > >> http-request set-var(txn.expires) url_param(expires) > >> http-request set-var(txn.expected_hash) path,concat(,txn.expires,),sha1,hex > >> > >> acl hash_valid var(txn.expected_hash),strcmp(txn.sha1) -m int eq 0 > >> acl expired date,sub(txn.expires) ge 0 > >> > >> http-response set-header Date %[date] > >> http-response set-header Expires %[var(txn.expires)] > >> http-response set-header Expired %[date,sub(txn.expires)] if expired > >> http-response set-header Not-Expired %[date,sub(txn.expires)] if !expired > >> http-response set-header Given-Hash %[var(txn.sha1)] > >> http-response set-header Expected-Hash %[var(txn.expected_hash)] > >> http-response set-header Hash-Valid true if hash_valid > >> http-response set-header Hash-Valid false if !hash_valid > > > > Inserting a secret is left as an exercise to the reader. Properly using > > the two ACLs to allow or deny requests is left as an exercise as well. > > Yep it's a good start, many thanks. > > > NOTE OF CAUTION: The code above is vulnerable to a timing attack, > > because strcmp does not perform a constant time comparison. The 'hex' > > converter is not constant time either. The correct way to add the secret > > would be using HMAC which is not trivial to do (there is no ready > > converter), if even possible. > > Thank you to raise this topic, I will keep it in mind. > > > Best regards > > Tim Düsterhus > > Best regards > Aleks > >