Re: Please help for a solution like secure_link
Tim, Mon Jul 01 21:36:11 GMT+02:00 2019 Tim Düsterhus : > Aleks, > > Am 01.07.19 um 21:27 schrieb Aleksandar Lazic: > > Maybe it's also possible with spoe ? > > I never worked with SPOE before, but I believe it might be possible. > SPOE is painful and fragile with HAProxy 1.8, though, because you have > to spawn the SPOA manually. Also using SPOE is pretty heavy, because it > requires interprocess communication which is not required with Lua. Yes, that's true. > Ideally you would just upgrade to HAProxy 2.0 or rebuild to include Lua. I would like to use 2.0.1 as I switched today to it for my nextcloud and xmpp server and it works. :-) I will try to see what's possible. Thank you very much for your time an solution. > Best regards > Tim Düsterhus Best regards Aleks > > Lua requires a rebuild of haproxy , which I want to avoid. > > > > Mon Jul 01 21:18:42 GMT+02:00 2019 Tim Düsterhus : > > > >> Aleks, > >> > >> Am 01.07.19 um 21:16 schrieb Aleksandar Lazic: > >>> > >>> The concat isn't available in 1.8 any substitution? > >> > >> Ugh, yeah. Both concat and strcmp are 1.9+. I must've missed that > >> requirement. You can use Lua to add yourself a concat and strcmp > >> converter. Or you do everything in Lua if you need Lua anyway. > >> > >> Best regards > >> Tim Düsterhus > >> > > > >
Re: Please help for a solution like secure_link
Aleks, Am 01.07.19 um 21:27 schrieb Aleksandar Lazic: > Maybe it's also possible with spoe ? I never worked with SPOE before, but I believe it might be possible. SPOE is painful and fragile with HAProxy 1.8, though, because you have to spawn the SPOA manually. Also using SPOE is pretty heavy, because it requires interprocess communication which is not required with Lua. Ideally you would just upgrade to HAProxy 2.0 or rebuild to include Lua. Best regards Tim Düsterhus > Lua requires a rebuild of haproxy , which I want to avoid. > > Mon Jul 01 21:18:42 GMT+02:00 2019 Tim Düsterhus : > >> Aleks, >> >> Am 01.07.19 um 21:16 schrieb Aleksandar Lazic: >>> >>> The concat isn't available in 1.8 any substitution? >> >> Ugh, yeah. Both concat and strcmp are 1.9+. I must've missed that >> requirement. You can use Lua to add yourself a concat and strcmp >> converter. Or you do everything in Lua if you need Lua anyway. >> >> Best regards >> Tim Düsterhus >> >
Re: Please help for a solution like secure_link
Thanks. Maybe it's also possible with spoe ? Lua requires a rebuild of haproxy , which I want to avoid. Mon Jul 01 21:18:42 GMT+02:00 2019 Tim Düsterhus : > Aleks, > > Am 01.07.19 um 21:16 schrieb Aleksandar Lazic: > > > > The concat isn't available in 1.8 any substitution? > > Ugh, yeah. Both concat and strcmp are 1.9+. I must've missed that > requirement. You can use Lua to add yourself a concat and strcmp > converter. Or you do everything in Lua if you need Lua anyway. > > Best regards > Tim Düsterhus >
Re: Please help for a solution like secure_link
Aleks, Am 01.07.19 um 21:16 schrieb Aleksandar Lazic: > > The concat isn't available in 1.8 any substitution? Ugh, yeah. Both concat and strcmp are 1.9+. I must've missed that requirement. You can use Lua to add yourself a concat and strcmp converter. Or you do everything in Lua if you need Lua anyway. Best regards Tim Düsterhus
Re: Please help for a solution like secure_link
The concat isn't available in 1.8 any substitution? Mon Jul 01 17:56:56 GMT+02:00 2019 Aleksandar Lazic : > Hi Tim. > > Am 01.07.2019 um 17:48 schrieb Tim Düsterhus: > > Aleks, > > > > Am 01.07.19 um 16:16 schrieb Aleksandar Lazic: > >> My Idea is to use something like this in haproxy but I'm not sure if > >> haproxy > >> only or haproxy+lua is the way to go? > > > > If you are fine with sha1 then it's theoretically possible with HAProxy > > only: > > Cool, that was fast, I will try it tommorw and keep you updated. > I love this community. > > >> http-request set-var(txn.sha1) url_param(sha1) > >> http-request set-var(txn.expires) url_param(expires) > >> http-request set-var(txn.expected_hash) path,concat(,txn.expires,),sha1,hex > >> > >> acl hash_valid var(txn.expected_hash),strcmp(txn.sha1) -m int eq 0 > >> acl expired date,sub(txn.expires) ge 0 > >> > >> http-response set-header Date %[date] > >> http-response set-header Expires %[var(txn.expires)] > >> http-response set-header Expired %[date,sub(txn.expires)] if expired > >> http-response set-header Not-Expired %[date,sub(txn.expires)] if !expired > >> http-response set-header Given-Hash %[var(txn.sha1)] > >> http-response set-header Expected-Hash %[var(txn.expected_hash)] > >> http-response set-header Hash-Valid true if hash_valid > >> http-response set-header Hash-Valid false if !hash_valid > > > > Inserting a secret is left as an exercise to the reader. Properly using > > the two ACLs to allow or deny requests is left as an exercise as well. > > Yep it's a good start, many thanks. > > > NOTE OF CAUTION: The code above is vulnerable to a timing attack, > > because strcmp does not perform a constant time comparison. The 'hex' > > converter is not constant time either. The correct way to add the secret > > would be using HMAC which is not trivial to do (there is no ready > > converter), if even possible. > > Thank you to raise this topic, I will keep it in mind. > > > Best regards > > Tim Düsterhus > > Best regards > Aleks > >
Re: Please help for a solution like secure_link
Hi Tim. Am 01.07.2019 um 17:48 schrieb Tim Düsterhus: > Aleks, > > Am 01.07.19 um 16:16 schrieb Aleksandar Lazic: >> My Idea is to use something like this in haproxy but I'm not sure if haproxy >> only or haproxy+lua is the way to go? > > If you are fine with sha1 then it's theoretically possible with HAProxy > only: Cool, that was fast, I will try it tommorw and keep you updated. I love this community. >> http-request set-var(txn.sha1) url_param(sha1) >> http-request set-var(txn.expires) url_param(expires) >> http-request set-var(txn.expected_hash) >> path,concat(,txn.expires,),sha1,hex >> >> acl hash_valid var(txn.expected_hash),strcmp(txn.sha1) -m int eq 0 >> acl expired date,sub(txn.expires) ge 0 >> >> http-response set-header Date %[date] >> http-response set-header Expires %[var(txn.expires)] >> http-response set-header Expired %[date,sub(txn.expires)] if >> expired >> http-response set-header Not-Expired %[date,sub(txn.expires)] if >> !expired >> http-response set-header Given-Hash%[var(txn.sha1)] >> http-response set-header Expected-Hash %[var(txn.expected_hash)] >> http-response set-header Hash-Validtrue if hash_valid >> http-response set-header Hash-Validfalse if !hash_valid > > Inserting a secret is left as an exercise to the reader. Properly using > the two ACLs to allow or deny requests is left as an exercise as well. Yep it's a good start, many thanks. > NOTE OF CAUTION: The code above is vulnerable to a timing attack, > because strcmp does not perform a constant time comparison. The 'hex' > converter is not constant time either. The correct way to add the secret > would be using HMAC which is not trivial to do (there is no ready > converter), if even possible. Thank you to raise this topic, I will keep it in mind. > Best regards > Tim Düsterhus Best regards Aleks
Re: Please help for a solution like secure_link
Aleks, Am 01.07.19 um 16:16 schrieb Aleksandar Lazic: > My Idea is to use something like this in haproxy but I'm not sure if haproxy > only or haproxy+lua is the way to go? If you are fine with sha1 then it's theoretically possible with HAProxy only: > http-request set-var(txn.sha1) url_param(sha1) > http-request set-var(txn.expires) url_param(expires) > http-request set-var(txn.expected_hash) > path,concat(,txn.expires,),sha1,hex > > acl hash_valid var(txn.expected_hash),strcmp(txn.sha1) -m int eq 0 > acl expired date,sub(txn.expires) ge 0 > > http-response set-header Date %[date] > http-response set-header Expires %[var(txn.expires)] > http-response set-header Expired %[date,sub(txn.expires)] if > expired > http-response set-header Not-Expired %[date,sub(txn.expires)] if > !expired>http-response set-header Given-Hash%[var(txn.sha1)] > http-response set-header Expected-Hash %[var(txn.expected_hash)] > http-response set-header Hash-Validtrue if hash_valid > http-response set-header Hash-Validfalse if !hash_valid Inserting a secret is left as an exercise to the reader. Properly using the two ACLs to allow or deny requests is left as an exercise as well. NOTE OF CAUTION: The code above is vulnerable to a timing attack, because strcmp does not perform a constant time comparison. The 'hex' converter is not constant time either. The correct way to add the secret would be using HMAC which is not trivial to do (there is no ready converter), if even possible. Best regards Tim Düsterhus
Please help for a solution like secure_link
Hi.
I try to implement with haproxy 1.8 the following solution.
https://aws.amazon.com/fr/blogs/networking-and-content-delivery/serving-private-content-using-amazon-cloudfront-aws-lambdaedge/
https://www.nginx.com/blog/securing-urls-secure-link-module-nginx-plus/
https://nginx.org/en/docs/http/ngx_http_secure_link_module.html
In short.
The URL `https://host/secure/myfile?(...&)?md5=...=...` should be
validated.
```
# where engima is the password.
# Make sure you keep one space between $uri and password
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri enigma";
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }
```
It looks like similar to create a S3 download protection where the application
behind nginx/HAProxy create a MD5 URL which nginx/HAProxy needs to verify before
the client can download the file.
My Idea is to use something like this in haproxy but I'm not sure if haproxy
only or haproxy+lua is the way to go?
ENV SECRET=enigma
```
http-request set-var(sess.md5) url_param(md5)
http-request set-var(sess.expires) url_param(expires)
# is there any md5 function, I haven't seen it in the doc.
acl allow -m str
%[md5(url-without-params,sess.expires,"${SECRET}"),base64,regsub(/=/,'',g),regsub(/+/,
'-',g),regsub(/\//,'_',g)] %[sess.md5]
acl expired -m int %[date(-3600)] %[sess.expires]
http-request deny deny_status 403 if ! allow ! expired
http-request deny deny_status 410 if expired # <= this is not possible AFAIK
http-request allow if allow
```
How difficult is it to make the
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.1-base64
compliant https://tools.ietf.org/html/rfc4648#section-5
That's the code from nginx for ngx_decode_base64url.
http://hg.nginx.org/nginx/file/tip/src/core/ngx_string.c#l1228
Any opinions and thanks for help?
Best regards
Aleks
