Welcome! Log In Create A New Profile

Advanced

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

April 13, 2011 03:39AM
Hello there,

since the only option is to modify the C source code of nginx/src/http/modules/ngx_http_secure_link_module.c to support hexadecimal md5 encoding in addition to base64 encoding besides specifying an optional ttl value to add to expiration time (e.g. 3600 sec in example below) I made a patch to provide this functions in addition to the documented behavior.
It can be used with a variant of the the configuration Igor suggested:

location /get/ {
#location ~ ^/get/(?<HASH>[\w-=]+)/(?<TIME>\d+)(?<PATH>/.+)$ { # /get/<md5_base64>/<time_dec><path>
location ~ ^/get/(?<HASH>[[:xdigit:]]+)/(?<TIME>\d+)(?<PATH>/.+)$ { # /get/<md5_hex>/<time_dec><path>
set $PASS sn983pjcnhupclavsnda; # secret string

secure_link $HASH,$TIME+3600;
secure_link_md5 $PASS$PATH$TIME;

if ($secure_link = "") { # invalid
return 403;
}

if ($secure_link = 0) { # expired
return 410;
}

if ($secure_link = 1) { # correct
rewrite ^ /media$PATH last;
}
}

return 404;

error_page 403 /forbidden.html;
error_page 404 /not_found.html;
error_page 410 =403 /link_expired.html;
}

I would recommend to specify /media/ as internal location to make it accessible only for internal requests.
It should be noted that the time value here is in decimal encoding in opposition to lighttpd's mod_secure_dowload.c hexadecimal encoding, with the advantege that it can easily be created via nginx/src/http/modules/ngx_http_ssi_filter_module.c:

<!--#config timefmt="%s" --><!--# echo var="date_local" -->

With this example it should be possible to support software like flowplayer (maybe with additional mod_h264_streaming) without any serverside scripting requirements.

Since i suspect the diff to get corrupted by posting, here is the original: http://pastebin.com/Ln7bS48n

Maybe someone with more experience in C programming / nginx source can look over the following patch to nginx/src/http/modules/ngx_http_secure_link_module.c:


--- nginx.orig/src/http/modules/ngx_http_secure_link_module.c 2010-09-13 14:44:43.000000000 +0200
+++ nginx/src/http/modules/ngx_http_secure_link_module.c 2011-04-10 17:12:55.000000000 +0200
@@ -100,13 +100,15 @@
ngx_http_secure_link_variable(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
- u_char *p, *last;
+ u_char *p, *q, *last;
ngx_str_t val, hash;
- time_t expires;
+ time_t expires, ttl;
ngx_md5_t md5;
ngx_http_secure_link_ctx_t *ctx;
ngx_http_secure_link_conf_t *conf;
u_char hash_buf[16], md5_buf[16];
+ ngx_int_t n;
+ ngx_uint_t i;

conf = ngx_http_get_module_loc_conf(r, ngx_http_secure_link_module);

@@ -128,16 +130,33 @@
last = val.data + val.len;

p = ngx_strlchr(val.data, last, ',');
+
expires = 0;
+ ttl = 0;

- if (p) {
- val.len = p++ - val.data;
+ if (p) { // expires
+ val.len = p - val.data;

- expires = ngx_atotm(p, last - p);
- if (expires <= 0) {
+ if (last - ++p < 0) {
goto not_found;
}

+ q = ngx_strlchr(p, last, '+');
+
+ if (q) { // ttl
+ if (last - ++q < 0 || (ttl = ngx_atotm(q, last - q)) < 0 || --q - p <= 0) {
+ goto not_found;
+ }
+ } else {
+ q = last;
+ }
+
+ if ((expires = ngx_atotm(p, q - p)) <= 0) {
+ goto not_found;
+ }
+
+ expires += ttl;
+
ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_secure_link_ctx_t));
if (ctx == NULL) {
return NGX_ERROR;
@@ -145,22 +164,26 @@

ngx_http_set_ctx(r, ctx, ngx_http_secure_link_module);

- ctx->expires.len = last - p;
+ ctx->expires.len = q - p;
ctx->expires.data = p;
}

- if (val.len > 24) {
- goto not_found;
- }
-
hash.len = 16;
hash.data = hash_buf;

- if (ngx_decode_base64url(&hash, &val) != NGX_OK) {
- goto not_found;
- }
-
- if (hash.len != 16) {
+ if (val.len == 32) { // hexadecimal md5
+ for (i = 0; i < 16; i++) {
+ n = ngx_hextoi(&val.data[2 * i], 2);
+ if (n == NGX_ERROR) {
+ goto not_found;
+ }
+ hash.data[i] = n;
+ }
+ } else if (val.len <= 24) { // base64 md5
+ if (ngx_decode_base64url(&hash, &val) != NGX_OK || hash.len != 16) {
+ goto not_found;
+ }
+ } else {
goto not_found;
}
Subject Author Posted

Migrating from Lighttpd : mod_secdownload show-stopper ?

thoseg February 10, 2011 11:16AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

thoseg February 10, 2011 11:25AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

vt February 10, 2011 11:26AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Robert La Ferla February 10, 2011 11:28AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

vt February 10, 2011 11:36AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Epstein June 09, 2011 11:54AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Francis Daly June 09, 2011 03:06PM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

thoseg February 10, 2011 11:50AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

vt February 10, 2011 11:56AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Robert La Ferla February 10, 2011 12:00PM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

vt February 10, 2011 12:36PM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Reinis Rozitis February 10, 2011 01:24PM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Pedro Melo February 11, 2011 04:58AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

thoseg February 22, 2011 05:03AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Francis Daly February 22, 2011 07:24AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Francis Daly February 23, 2011 04:48AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

ntr0py April 13, 2011 03:39AM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Igor Sysoev February 10, 2011 03:08PM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

Igor Sysoev February 10, 2011 03:28PM

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

António P. P. Almeida February 10, 2011 04:46PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 53
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready