Hello I've tried every possible way I can think of to make secure links
work with expires. I've tried different versions of nginx, I've tried on
Ubuntu, tried on Centos, tried generating the hash using openssl, tried
using Python. I've followed every tutorial I can find. So I must be doing
something really wrong.

I am trying to use the nginx secure link module
http://nginx.org/en/docs/http/ngx_http_secure_link_module.html

I want to make secure links using expires.

No matter what I try, I cannot get it to work when I try to uses the expire
time.

It works fine when I do a simple secure link based purely on the link,
without also the expire time or the ip address.

Can anyone suggest what I am doing wrong? Or can anyone point me to
instructions that show every detail of how to do it and have been recently
tested?

thanks!

The command to generate the key:

ubuntu@ip-172-31-34-191:/var/www$ echo -n '2147483647/html/index.html
secret' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
FsRb_uu5NsagF0hA_Z-OQg

The command that fails:

ubuntu@ip-172-31-34-191:/var/www$ curl
http://127.0.0.1/html/index.html?md5=FsRb_uu5NsagF0hA_Z-OQgexpires=2147483647
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>

Here's the relevant part of the nginx conf file:

ubuntu@ip-172-31-34-191:/var/www$ sudo cat
/etc/nginx/sites-enabled/theapp_nginx.conf
...SNIP
location /html/ {
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri secret";

if ($secure_link = "") {
return 403;
}

if ($secure_link = "0") {
return 410;
}
try_files $uri $uri/ =404;
}
...SNIP

Here's the nginx version info:

ubuntu@ip-172-31-34-191:/var/www$ nginx -V
nginx version: nginx/1.14.2
built with OpenSSL 1.1.0g 2 Nov 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2
-fdebug-prefix-map=/build/nginx-x0ix7n/nginx-1.14.2=.
-fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro
-Wl,-z,now -fPIC' --prefix=/usr/share/nginx
--conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug
--with-pcre-jit --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_v2_module --with-http_dav_module --with-http_slice_module
--with-threads --with-http_addition_module --with-http_flv_module
--with-http_geoip_module=dynamic --with-http_gunzip_module
--with-http_gzip_static_module --with-http_image_filter_module=dynamic
--with-http_mp4_module --with-http_perl_module=dynamic
--with-http_random_index_module --with-http_secure_link_module
--with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic
--with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module
--with-stream_ssl_preread_module
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-headers-more-filter
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-auth-pam
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-cache-purge
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-dav-ext
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-ndk
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-echo
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-fancyindex
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/nchan
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-lua
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/rtmp
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-uploadprogress
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-upstream-fair
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-subs-filter
ubuntu@ip-172-31-34-191:/var/www$
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx