Forum: NGINX nginx-0.7.18

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Igor S. (Guest)
on 2008-10-13 17:34
(Received via mailing list)
Changes with nginx 0.7.18                                        13 Oct
2008

    *) Change: the "underscores_in_headers" directive; now nginx does
not
       allows underscores in a client request header line names.

    *) Feature: the ngx_http_secure_link_module.

    *) Feature: the "real_ip_header" directive supports any header.

    *) Feature: the "log_subrequest" directive.

    *) Feature: the $realpath_root variable.

    *) Feature: the "http_502" and "http_504" parameters of the
       "proxy_next_upstream" directive.

    *) Bugfix: the "http_503" parameter of the "proxy_next_upstream" or
       "fastcgi_next_upstream" directives did not work.

    *) Bugfix: nginx might send a "Transfer-Encoding: chunked" heaer
line
       for HEAD requests.

    *) Bugfix: now accept threshold depends on worker_connections.
lhmwzy (Guest)
on 2008-10-13 18:10
(Received via mailing list)
Great!

2008/10/13 Igor S. <removed_email_address@domain.invalid>:
Phillip B Oldham (Guest)
on 2008-10-13 18:44
(Received via mailing list)
Attachment: phill.vcf (0 Bytes)
Igor S. wrote:
>     *) Feature: the ngx_http_secure_link_module.
>     *) Feature: the "log_subrequest" directive.
>
Any idea when we'll have documentation on these new features?

--

*Phillip B Oldham*
The Activity People
removed_email_address@domain.invalid 
<mailto:removed_email_address@domain.invalid>

------------------------------------------------------------------------

*Policies*

This e-mail and its attachments are intended for the above named
recipient(s) only and may be confidential. If they have come to you in
error, please reply to this e-mail and highlight the error. No action
should be taken regarding content, nor must you copy or show them to
anyone.

This e-mail has been created in the knowledge that Internet e-mail is
not a 100% secure communications medium, and we have taken steps to
ensure that this e-mail and attachments are free from any virus. We must
advise that in keeping with good computing practice the recipient should
ensure they are completely virus free, and that you understand and
observe the lack of security when e-mailing us.
Igor S. (Guest)
on 2008-10-13 19:04
(Received via mailing list)
On Mon, Oct 13, 2008 at 03:36:05PM +0100, Phillip B Oldham wrote:

> Igor S. wrote:
> >    *) Feature: the ngx_http_secure_link_module.
> >    *) Feature: the "log_subrequest" directive.
> >
> Any idea when we'll have documentation on these new features?

The "log_subrequest on|off" allows to log subrequests in access_log.

The ngx_http_secure_link_module allows to create a secure link as
/prefix/hash/link, where

1) prefix is any symbols expect "/";
2) hash is md5(link, secret),
   the secret is set by secure_link_secret directive;
3) and link is some link to secure.

Example:

     location /p/ {
         secure_link_secret  some_secret;

         if ($secure_link = "") {
             return 403;
         }
     }

The $secure_link variable is equal to a link if a hash is valid,
otherwise it is "".
Jim O. (Guest)
on 2008-10-13 19:18
(Received via mailing list)
Hi Igor,

I downloaded and installed the new version.

Headers are as follows:

HTTP/1.1 200 OK
Server: nginx/0.7.19
Date: Mon, 13 Oct 2008 15:04:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.6
Content-Encoding: gzip

I'm  a little confused by the version.

Jim
Igor S. (Guest)
on 2008-10-13 19:29
(Received via mailing list)
On Mon, Oct 13, 2008 at 11:09:49AM -0400, Jim O. wrote:

> Transfer-Encoding: chunked
> Connection: keep-alive
> Keep-Alive: timeout=20
> X-Powered-By: PHP/5.2.6
> Content-Encoding: gzip
>
> I'm  a little confused by the version.

Sorry, this is my second error for today.
First I've uploaded old 0.7.18 tarball, then I've uploaded modern 0.7.18
with incremented version. I've just released correct 0.7.19 tarball.
Steffen W. (Guest)
on 2008-10-13 20:06
(Received via mailing list)
Igor S. wrote:
> The ngx_http_secure_link_module allows to create a secure link as
> /prefix/hash/link, where
>
> 1) prefix is any symbols expect "/";
> 2) hash is md5(link, secret),
>    the secret is set by secure_link_secret directive;
> 3) and link is some link to secure.

lighttpd has a similar feature with an additional possibility to specify
a timeout: http://redmine.lighttpd.net/wiki/lighttpd/Docs:Mod...

The timeout would be a nice addition to nginx, because otherwise once
someone has received the "secure link" he can pass it around to other
people and it will never expire.

Steffen
Hendry Lee (Guest)
on 2008-10-13 20:25
(Received via mailing list)
> Igor S. wrote:
> > The ngx_http_secure_link_module allows to create a secure
> link as..

[...]

> lighttpd has a similar feature with an additional
> possibility to specify
> a timeout:
> http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModSecDownloa
> d
>

I was just wondering is this similar to lighty's mod_secdownload.
I used this feature on one of my site so I definitely will test
this feature soon. Perhaps next week.

> The timeout would be a nice addition to nginx, because
> otherwise once
> someone has received the "secure link" he can pass it around
> to other
> people and it will never expire.
>

Spot on. Combination of both options allow dynamically generated
link that expires at a predetermined interval. I second this
feature.
Igor S. (Guest)
on 2008-10-13 21:21
(Received via mailing list)
On Mon, Oct 13, 2008 at 05:56:47PM +0200, Steffen W. wrote:

> a timeout: http://redmine.lighttpd.net/wiki/lighttpd/Docs:Mod...
>
> The timeout would be a nice addition to nginx, because otherwise once
> someone has received the "secure link" he can pass it around to other
> people and it will never expire.

The current use of the module is not to create unique expiring links,
but to validate redirecting or proxying URLs such as

http://www.example.com/click/XXXXX/frod.site.com/foobar/

The unique links should be created using X-Accel-Redirect, however,
I will probably add timestamps.
Steffen W. (Guest)
on 2008-10-13 22:39
(Received via mailing list)
Igor S. wrote:
> The unique links should be created using X-Accel-Redirect, however,
> I will probably add timestamps.

Using X-Accel-Redirect requires that either a) you do not have a
dedicated download-server in addition to your webserver or b) your
download-server has access to your (user) database.

The nice thing about a timeout value like in lighttpd's mod_secdownload
is that your download-server does not even need a connection to your
database and therefore can be located anywhere you can imagine: You just
let an application running on your webserver create a secret link and
your lighttpd-download-server can validate this request completely on
its own.

So: Yes, a timeout value would be useful. :)

Steffen
lhmwzy (Guest)
on 2008-10-14 09:03
(Received via mailing list)
I have set a secure link:
  location /dl/
        {
         secure_link_secret  lhm;
            if ($secure_link == "") {
                        return 503;
             }
        }


Then
md5(dllhm)=91fe55efd557140f7a32f7f7c1c74aa3

Then access it through
http://host/91fe55efd557140f7a32f7f7c1c74aa3/dl/,but get a 404.

Any thing wrong?

2008/10/13 Igor S. <removed_email_address@domain.invalid>:
Anton Y. (Guest)
on 2008-10-14 11:29
(Received via mailing list)
On 14.10.2008 08:53, lhmwzy wrote:
> Then
> md5(dllhm)=91fe55efd557140f7a32f7f7c1c74aa3
>
> Then access it through
> http://host/91fe55efd557140f7a32f7f7c1c74aa3/dl/,but get a 404.
>

URL should be under location /d1/ e. g.

http://host/d1/7a701b100383d50fc2995ed264add62a/so...

$ echo -n some_url_to_protected_resourcelhm | md5
7a701b100383d50fc2995ed264add62a
lhmwzy (Guest)
on 2008-10-14 12:19
(Received via mailing list)
Also not right.
I can not get the right thing.
Can you give me an example?

2008/10/14 Anton Y. <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-14 12:38
(Received via mailing list)
On Tue, Oct 14, 2008 at 04:10:58PM +0800, lhmwzy wrote:

> Also not right.
> I can not get the right thing.
> Can you give me an example?

You also need a "rewrite" to replace an URL with a link itself only:

   location /dl/
        secure_link_secret  lhm;
        if ($secure_link = "") {
            return 403;
        }
     }

     root  /path/to/files;

     rewrite  ^   $secure_link  break;
  }
lhmwzy (Guest)
on 2008-10-14 12:52
(Received via mailing list)
Still not ok.........
I am confused.......

2008/10/14 Igor S. <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-14 13:09
(Received via mailing list)
On Tue, Oct 14, 2008 at 04:40:29PM +0800, lhmwzy wrote:

> Still not ok.........
> I am confused.......

What do you get 404 or 403 ?
If the former,  what in your error_log ?
Igor S. (Guest)
on 2008-10-14 13:11
(Received via mailing list)
On Tue, Oct 14, 2008 at 12:57:36PM +0400, Igor S. wrote:

> On Tue, Oct 14, 2008 at 04:40:29PM +0800, lhmwzy wrote:
>
> > Still not ok.........
> > I am confused.......

-    rewrite  ^   $secure_link   break;
+    rewrite  ^   /$secure_link  break;
lhmwzy (Guest)
on 2008-10-14 13:23
(Received via mailing list)
OK.
Here is my config:
.........
  location /dll/
        {
          secure_link_secret  lhm;
               if ($secure_link = "") {
                             return 403;
              }
           rewrite ^ /$secure_link  break;
        }
............

Then request a directory under dll
/dll/dl/

md5(dllhm)=91fe55efd557140f7a32f7f7c1c74aa3

use "http://host/dll/91fe55efd557140f7a32f7f7c1c74aa3/dl" to
request,right?

Then get "403 Forbidden"

Any thing is wrong?

2008/10/14 Igor S. <removed_email_address@domain.invalid>:
lhmwzy (Guest)
on 2008-10-14 13:26
(Received via mailing list)
My configure parameter:

--user=www --group=www --prefix=/usr/local/nginx
--with-http_stub_status_module --with-http_ssl_module --with-md5=/usr
--with-http_gzip_static_module --with-http_secure_link_module
--with-http_realip_module --with-poll_module

2008/10/14 lhmwzy <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-14 13:44
(Received via mailing list)
On Tue, Oct 14, 2008 at 05:13:31PM +0800, lhmwzy wrote:

>         }
>
> Any thing is wrong?

Do you have index file in /dll/dl/ ? Or autoindex enabled ?
lhmwzy (Guest)
on 2008-10-14 15:47
(Received via mailing list)
Yes,I put a index.html file in dl directory.

2008/10/14 Igor S. <removed_email_address@domain.invalid>:
lhmwzy (Guest)
on 2008-10-14 17:19
(Received via mailing list)
I think the $secure_link is not right.
when change

                if ($secure_link = "") {
                              return 403;
               }

to


                if ($secure_link = "") {
                              return 500;
               }
then the error is always 500 error.
Thus we can say the $secure_link=""?

2008/10/14 lhmwzy <removed_email_address@domain.invalid>:
lhmwzy (Guest)
on 2008-10-15 04:08
(Received via mailing list)
Any body try "ngx_http_secure_link_module" and successful?
Please give me a hint.

2008/10/14 lhmwzy <removed_email_address@domain.invalid>:
lhmwzy (Guest)
on 2008-10-15 17:32
(Received via mailing list)
Still can not configure "ngx_http_secure_link_module" successfully...

2008/10/15 lhmwzy <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-21 16:43
(Received via mailing list)
Attachment: patch.secure_link (0 Bytes)
On Wed, Oct 15, 2008 at 09:21:55PM +0800, lhmwzy wrote:

> Still can not configure "ngx_http_secure_link_module" successfully...

The module did not work if link was less than 3 symbols ("dl").
The attached patch should fix the bug.
lhmwzy (Guest)
on 2008-10-21 17:07
(Received via mailing list)
OK.
The dir structure is:
wwwroot/dll/dl/index.html

the www root is wwwroot.
I put the following to nginx.conf

server {

  .............
        location /dll/
        {
            secure_link_secret  some;

             if ($secure_link = "") {
                 return 500;
           }
        }

..........
}

Then I request through
http://host/dll/cb691d768d21d59719ef7ed3b2ecaf4e/dl
Also get a 500 error page.

md5(somedl)=cb691d768d21d59719ef7ed3b2ecaf4e

2008/10/21 Igor S. <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-21 17:13
(Received via mailing list)
On Tue, Oct 21, 2008 at 08:58:57PM +0800, lhmwzy wrote:

>         location /dll/
>
> Then I request through
> http://host/dll/cb691d768d21d59719ef7ed3b2ecaf4e/dl
> Also get a 500 error page.
>
> md5(somedl)=cb691d768d21d59719ef7ed3b2ecaf4e

Have you tried the attached patch ?

BTW, /dll/3373757a24a035b9d157d97468401a19/dl/index.html
should work without patch.
lhmwzy (Guest)
on 2008-10-21 17:20
(Received via mailing list)
YES.I have tried the patch through.
But I think there must be something wrong.
Here is my configure:

./configure --user=www --group=www --prefix=/usr/local/nginx
--with-http_stub_status_module --with-http_ssl_module --with-md5=/usr
--with-http_gzip_static_module --with-http_realip_module
--with-poll_module --with-http_secure_link_module


2008/10/21 Igor S. <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-21 17:40
(Received via mailing list)
On Tue, Oct 21, 2008 at 09:11:44PM +0800, lhmwzy wrote:

> YES.I have tried the patch through.
> But I think there must be something wrong.
> Here is my configure:
>
> ./configure --user=www --group=www --prefix=/usr/local/nginx
> --with-http_stub_status_module --with-http_ssl_module --with-md5=/usr
> --with-http_gzip_static_module --with-http_realip_module
> --with-poll_module --with-http_secure_link_module

Have you tried

/dll/3373757a24a035b9d157d97468401a19/dl/index.html

?
lhmwzy (Guest)
on 2008-10-21 17:46
(Received via mailing list)
I tried:

/dll/3373757a24a035b9d157d97468401a19/dl/index.html

also get a 500 error page.
Igor S. (Guest)
on 2008-10-21 18:01
(Received via mailing list)
On Tue, Oct 21, 2008 at 08:58:57PM +0800, lhmwzy wrote:

>         location /dll/
>
> Then I request through
> http://host/dll/cb691d768d21d59719ef7ed3b2ecaf4e/dl
> Also get a 500 error page.
>
> md5(somedl)=cb691d768d21d59719ef7ed3b2ecaf4e

You should use
md5(dlsome) = 1f5239a316bd9ee50d2bce5cfa011ed0
lhmwzy (Guest)
on 2008-10-21 18:08
(Received via mailing list)
Also a 500 error page.

2008/10/21 Igor S. <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-21 18:12
(Received via mailing list)
On Tue, Oct 21, 2008 at 10:01:48PM +0800, lhmwzy wrote:

> Also a 500 error page.

/dll/d66423000cfdc233b5517b582babb46e/dl/index.html

?
lhmwzy (Guest)
on 2008-10-21 18:13
(Received via mailing list)
Here is my page:
http://www.dydoor.net/dll/1f5239a316bd9ee50d2bce5c...

2008/10/21 lhmwzy <removed_email_address@domain.invalid>:
lhmwzy (Guest)
on 2008-10-21 18:14
(Received via mailing list)
Sorry,the page should be

http://www.dydoor.net/dll/1f5239a316bd9ee50d2bce5c...

2008/10/21 lhmwzy <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-21 18:17
(Received via mailing list)
On Tue, Oct 21, 2008 at 10:08:32PM +0800, lhmwzy wrote:

> Sorry,the page should be
>
> http://www.dydoor.net/dll/1f5239a316bd9ee50d2bce5c...

No, page should be

http://www.dydoor.net/dll/d66423000cfdc233b5517b58...

as MD5 ("dl/index.htmlsome") = d66423000cfdc233b5517b582babb46e

and it seems to work (404).
lhmwzy (Guest)
on 2008-10-21 18:19
(Received via mailing list)
/dll/d66423000cfdc233b5517b582babb46e/dl/index.html
get a 404 error.

/dll/d66423000cfdc233b5517b582babb46e/dl/
get a 500 error.

I'm sure there is a file named index.html in dll/dl/.

2008/10/21 Igor S. <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-21 18:23
(Received via mailing list)
On Tue, Oct 21, 2008 at 10:12:59PM +0800, lhmwzy wrote:

> /dll/d66423000cfdc233b5517b582babb46e/dl/index.html
> get a 404 error.
>
> /dll/d66423000cfdc233b5517b582babb46e/dl/
> get a 500 error.
>
> I'm sure there is a file named index.html in dll/dl/.

What is in error_log ?
Igor S. (Guest)
on 2008-10-21 18:23
(Received via mailing list)
On Tue, Oct 21, 2008 at 10:12:59PM +0800, lhmwzy wrote:

> /dll/d66423000cfdc233b5517b582babb46e/dl/index.html
> get a 404 error.
>
> /dll/d66423000cfdc233b5517b582babb46e/dl/
> get a 500 error.
>
> I'm sure there is a file named index.html in dll/dl/.

Probably you missed

     rewrite  ^   /$secure_link  break;
lhmwzy (Guest)
on 2008-10-21 18:26
(Received via mailing list)
But it should display the content of index.html,not a 404 page.
So we should use a hash like md5(link/file, secret),not  md5(link,
secret)?

2008/10/21 Igor S. <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-21 18:33
(Received via mailing list)
On Tue, Oct 21, 2008 at 10:19:37PM +0800, lhmwzy wrote:

> But it should display the content of index.html,not a 404 page.
> So we should use a hash like md5(link/file, secret),not  md5(link, secret)?

The secure link is

/prefix/hash/any/thing/here

hash = md5(any/thing/heresecret)
lhmwzy (Guest)
on 2008-10-21 18:41
(Received via mailing list)
OK.Finally I get it.
Put  "rewrite  ^   /dll/$secure_link  break;" to the secure_link block;
But I have a question:
The hash must be md5(link/file,secret).
When the file changes,the hash should also change.
Can nginx make the hash to md5(link,secret)?then only the directory
name is the key to hash,not include the name of files under the
directory.
For example:
In my example,when access /dll/dl/,use the hash md5(dl,secret),not
md5(dl/file,secret).

2008/10/21 Igor S. <removed_email_address@domain.invalid>:
lhmwzy (Guest)
on 2008-10-21 18:45
(Received via mailing list)
or can add a directive to do this.
Only a suggestion.

2008/10/21 lhmwzy <removed_email_address@domain.invalid>:
Igor S. (Guest)
on 2008-10-21 19:04
(Received via mailing list)
On Tue, Oct 21, 2008 at 10:34:55PM +0800, lhmwzy wrote:

> md5(dl/file,secret).
No, the sense is to protect awhole link.
Thomas (Guest)
on 2008-11-10 17:06
(Received via mailing list)
>    *) Feature: the ngx_http_secure_link_module.
>
Is it possible to proxy the request?

I'd like to do something like this:
--
  location /dl/
       secure_link_secret  lhm;
       if ($secure_link = "") {
           return 403;
       }
    }

    proxy_pass http://192.168.0.10:3000;

    rewrite  ^   $secure_link  break;
Igor S. (Guest)
on 2008-11-10 19:16
(Received via mailing list)
On Mon, Nov 10, 2008 at 03:59:31PM +0100, Thomas wrote:

>        }
>     }
>
>     proxy_pass http://192.168.0.10:3000;
>
>     rewrite  ^   $secure_link  break;
> --

Yes, you may use something like this:

     proxy_pass http://192.168.0.10:3000/$secure_link;
Thomas (Guest)
on 2008-11-11 20:16
(Received via mailing list)
I tried to play with

but when I launch nginx I get the following error message:
--
[emerg] 27797#0: unknown directive "secure_link_secret" in
/usr/local/nginx/conf/website.conf
--

Here is my configuration file excerpt:
--
  location /secret/ {
    secure_link_secret some_secret;

    if ($secure_link = "") {
      return 403;
    }

    rewrite ^ /$secure_link break;
    proxy_pass http://website/$secure_link;
  }
--

Here is my configure:
--
./configure --with-http_ssl_module --with-http_gzip_static_module
--with-http_secure_link_module --with-poll_module
--with-pcre=../pcre-7.8 --with-http_flv_module
--sbin-path=/usr/sbin/nginx --prefix=/usr/local/nginx
--add-module=../nginx_mp4_streaming_lite --with-cc-opt='-O3'
--

Moreover I don't understand the following:
--
2) hash is md5(link, secret),
  the secret is set by secure_link_secret directive;
--
What is this secret thing? md5 cannot be decoded, so does this mean
that I have to hard code all my secret links inside Nginx'
configuration file?
Thomas (Guest)
on 2008-11-11 20:48
(Received via mailing list)
Damn' it! I'm having troubles with my $path or what? Istarted nginx by
specifying the full paht, i.e: /usr/sbin/nginx, and now the correct
nginx started with the module compiled and I didn't have any error
messages.

I now have to understand how the secure_link_module works.
This topic is locked and can not be replied to.