[b]To use the new version of secret_cookie module[/b]
In the nginx's config, you can use the following directives:
+ secret_cookie [on/off] : Turn on or turn off the module functionality
Note: If the module is turned off, all cookie check will return true.
+ secret_cookie_def on/off name=NAME rule=RULE duration=DURATION salt=SALT ua_limit=UA_LIMIT log=on/off
This directive define one secret_cookie check (you can define more than one as required). You can set individual secret_cookie check to on or off separately. Other settings are:
- NAME: Name of the cookie of interest.
- RULE: If a cookie with such a name existed in HTTP header, secret_cookie module will check it again this rule. The rule is: t = time to live, s=salt value, u=user agent, a=remote IP address. For example, rule=usat will check if the content of the cookie of interest is the sha value of user agent + salt value + remote IP address + time to live. You can repeat the rule if required (for example, rule=susast will add salt repeatedly for several place)
- DURATION: The time for the cookie to live. If the cookie is valid for 1 hour, then duration=3600. The duration check is only meaningful if rule contains "time to live".
- SALT: A random string to increase the secure of secret cookie. Only meaningful if the rule contains salt.
- UA_LIMIT: Sometime the user agent can be very long, which will cause problem for secret_cookie check (more processing time, more memory etc). You can limit the check to only first few byte of the user agent. For example, ua_limit=25 means checking only first 25 bytes.
- log=on/off: Turn on or off the logging of secret_cookie checking.
One example config with secret_cookie module enable:
[code]
# Turn secret_cookie module on
secret_cookie on;
# Duration: 1 day = 86400, 2 day = 172800, 3 day = 259200, 1 weeks = 604800
# Define AntiDoS cookie
secret_cookie_def on name=AntiDoS rule=sutas duration=86400 salt=2j3ns3a ua_limit=10 log=off;
# Define RestrictedArea cooke
secret_cookie_def on name=RestrictedArea rule=tsau duration=7200 salt=3nh3323 us_limit=20 log=on;
# If AntiDoS cookie is not set, redirect to verification page
if ($secret_cookie_value !~ (AntiDoS)) {
rewrite ^(.*)$ /verification/index.php;
}
location ~* /verification/.*\.php$ {
# This is the verification location, where you should setup a php captcha for user/bot identification.
# If captcha is valid, assign user an AntiDoS cookie which match the above rule.
}
# These are protected areas, only Admin can enter
location ~* ^/(admin|forum/admincp)/ {
# If RestrictedArea cookie is not set, then redirect to admin verification page
if ($secret_cookie_value !~ (RestrictedArea)){
rewrite ^(.*)$ /admin_verification/index.php last;
}
}
location ~* /admin_verification/.*\.php$ {
# Again, this is verification location, where you should setup a php captcha for admin identification.
# If captcha is valid, assign admin an RestrictedArea cookie which match the above rule.
}
[/code]