Hi nginx team,
as I replaced some lighttpd service by nginx (without touching the web
application) I had to apply some changes to the source of the
ngx_http_secure_link_module. Some of the changes I found already as a
patch in a forum but I had to extend this to have a 100% compatibility
to the lighttpd mod_secdownload. Here are the differences in short:
- lighttpd/secdownload expects the hash to be encoded as hexdecimal of
the md5 instead of base64
- lighttpd/secdownload adds the timestamp hexdecimal encoded es well -
instead of decimal
- lighttpd/secdownload expects the timestamp to be the create time and
calculates a delta itself
My nginx config is basically like this (relevant part only):
# 1st match: hash(hex), 2nd match: time(hex), 3rd match: real location
location ~* "^/([a-fA-F0-9]{32,32})/([a-fA-f0-9]{8,8})/(.*)$" {
## this is the key compared to 'secdownload.secret'
set $sec_key 'my-secret-key';
## this is the location of hash and time;
## combinded with this context it equals
## secdownload.uri-prefix = '/' and secdownload.timeout = 600
## my patch introduced a hex time when the timestamp starts with 0x
secure_link $1,0x$2+600;
## this is default with lighttpd/secdownload (according to its
documentation)
secure_link_md5 $sec_key/$3$2;
if ($secure_link = "") { # not valid
return 403;
}
if ($secure_link = "0") { # expired
return 410;
}
proxy_pass http://127.0.0.1:8080/$3;
proxy_set_header Host mylocalservice.intra;
}
Does this patch make sense to your project? This would be great because
otherwise I need to patch every version myself befor I can use it. And
maybe there are other usecases where lighttpd needs to be replaced ;-)
Here is the patch I actually use:
----- START PATCH -----
--- ngx_http_secure_link_module.c.old 2014-08-05 13:18:35.000000000
+0200
+++ ngx_http_secure_link_module.c 2014-08-17 12:19:00.770229341 +0200
@@ -101,13 +101,15 @@ static ngx_int_t
ngx_http_secure_link_variable(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
- u_char *p, *last;
+ u_char *p, *q, *last;
ngx_str_t val, hash;
- time_t expires;
+ time_t expires, ttl;
ngx_md5_t md5;
ngx_http_secure_link_ctx_t *ctx;
ngx_http_secure_link_conf_t *conf;
u_char hash_buf[16], md5_buf[16];
+ ngx_int_t n;
+ ngx_uint_t i;
conf = ngx_http_get_module_loc_conf(r,
ngx_http_secure_link_module);
@@ -129,16 +131,38 @@ ngx_http_secure_link_variable(ngx_http_r
last = val.data + val.len;
p = ngx_strlchr(val.data, last, ',');
+
expires = 0;
+ ttl = 0;
- if (p) {
- val.len = p++ - val.data;
+ if (p) { // expires
+ val.len = p - val.data;
- expires = ngx_atotm(p, last - p);
- if (expires <= 0) {
+ if (last - ++p < 0) {
goto not_found;
}
+ q = ngx_strlchr(p, last, '+');
+
+ if (q) { // ttl
+ if (last - ++q < 0 || (ttl = ngx_atotm(q, last - q)) < 0 || --q -
p <= 0) {
+ goto not_found;
+ }
+ } else {
+ q = last;
+ }
+
+ if (p[0] == '0' && p[1] == 'x' && p[2]) { /* hexdecimal time */
+ p += 2; /* skip '0x' */
+ if((expires = ngx_hextoi(p, q - p)) == NGX_ERROR) {
+ goto not_found;
+ }
+ } else if ((expires = ngx_atotm(p, q - p)) <= 0) { /* decimal
time */
+ goto not_found;
+ }
+
+ expires += ttl;
+
ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_secure_link_ctx_t));
if (ctx == NULL) {
return NGX_ERROR;
@@ -146,22 +170,26 @@ ngx_http_secure_link_variable(ngx_http_r
ngx_http_set_ctx(r, ctx, ngx_http_secure_link_module);
- ctx->expires.len = last - p;
+ ctx->expires.len = q - p;
ctx->expires.data = p;
}
- if (val.len > 24) {
- goto not_found;
- }
-
hash.len = 16;
hash.data = hash_buf;
- if (ngx_decode_base64url(&hash, &val) != NGX_OK) {
- goto not_found;
- }
-
- if (hash.len != 16) {
+ if (val.len == 32) { // hexadecimal md5
+ for (i = 0; i < 16; i++) {
+ n = ngx_hextoi(&val.data[2 * i], 2);
+ if (n == NGX_ERROR) {
+ goto not_found;
+ }
+ hash.data[i] = n;
+ }
+ } else if (val.len <= 24) { // base64 md5
+ if (ngx_decode_base64url(&hash, &val) != NGX_OK || hash.len != 16) {
+ goto not_found;
+ }
+ } else {
goto not_found;
}
----- END PATCH -----
Thank you for your feedback!
/Mario
_______________________________________________
nginx-devel mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx-devel
