The concat isn't available in 1.8 any substitution?

Mon Jul 01 17:56:56 GMT+02:00 2019 Aleksandar Lazic <al-hapr...@none.at>:

> Hi Tim.
>
> Am 01.07.2019 um 17:48 schrieb Tim Düsterhus:
> > Aleks,
> >
> > Am 01.07.19 um 16:16 schrieb Aleksandar Lazic:
> >> My Idea is to use something like this in haproxy but I'm not sure if 
> >> haproxy
> >> only or haproxy+lua is the way to go?
> >
> > If you are fine with sha1 then it's theoretically possible with HAProxy
> > only:
>
> Cool, that was fast, I will try it tommorw and keep you updated.
> I love this community.
>
> >> http-request set-var(txn.sha1) url_param(sha1)
> >> http-request set-var(txn.expires) url_param(expires)
> >> http-request set-var(txn.expected_hash) path,concat(,txn.expires,),sha1,hex
> >>
> >> acl hash_valid var(txn.expected_hash),strcmp(txn.sha1) -m int eq 0
> >> acl expired date,sub(txn.expires) ge 0
> >>
> >> http-response set-header Date %[date]
> >> http-response set-header Expires %[var(txn.expires)]
> >> http-response set-header Expired %[date,sub(txn.expires)] if expired
> >> http-response set-header Not-Expired %[date,sub(txn.expires)] if !expired
> >> http-response set-header Given-Hash %[var(txn.sha1)]
> >> http-response set-header Expected-Hash %[var(txn.expected_hash)]
> >> http-response set-header Hash-Valid true if hash_valid
> >> http-response set-header Hash-Valid false if !hash_valid
> >
> > Inserting a secret is left as an exercise to the reader. Properly using
> > the two ACLs to allow or deny requests is left as an exercise as well.
>
> Yep it's a good start, many thanks.
>
> > NOTE OF CAUTION: The code above is vulnerable to a timing attack,
> > because strcmp does not perform a constant time comparison. The 'hex'
> > converter is not constant time either. The correct way to add the secret
> > would be using HMAC which is not trivial to do (there is no ready
> > converter), if even possible.
>
> Thank you to raise this topic, I will keep it in mind.
>
> > Best regards
> > Tim Düsterhus
>
> Best regards
> Aleks
>
>

Reply via email to