Forum: NGINX nginx-0.8.50

Changes with nginx 0.8.50                                        02 Sep 
2010

    *) Feature: the "secure_link", "secure_link_md5", and
       "secure_link_expires" directives of the 
ngx_http_secure_link_module.

    *) Feature: the -q switch.
       Thanks to Gena Makhomed.

    *) Bugfix: worker processes may got caught in an endless loop during
       reconfiguration, if a caching was used; the bug had appeared in
       0.8.48.

    *) Bugfix: in the "gzip_disable" directive.
       Thanks to Derrick Petzold.

    *) Bugfix: nginx/Windows could not send stop, quit, reopen, and 
reload
       signals to a process run in other session.


--
Igor Sysoev
http://sysoev.ru/en/

> Changes with nginx 0.8.50                                        02 Sep 
> 2010
>
>    *) Feature: the "secure_link", "secure_link_md5", and
>       "secure_link_expires" directives of the ngx_http_secure_link_module.

As already in the russian list ppl asked - could you explain the 
directives
(some wiki/doc update) or even quick config example.

Anyways thanks for the nice work Igor.

--
rr

On Thu, Sep 02, 2010 at 06:31:32PM +0300, Reinis Rozitis wrote:

> > Changes with nginx 0.8.50                                        02 Sep 
> > 2010
> >
> >    *) Feature: the "secure_link", "secure_link_md5", and
> >       "secure_link_expires" directives of the ngx_http_secure_link_module.
> 
> As already in the russian list ppl asked - could you explain the directives 
> (some wiki/doc update) or even quick config example.

These directive add a new mode of the module operation.
Here is configuration example:

        location /p/ {
            location ~ ^/p/(?<secure>[\w\-=]+,\d+)(?<file>/.+)$ {

                secure_link          $secure;
                secure_link_md5 
$secure_link_expires.$file.PASSWORD;
                secure_link_expires  on;

                if ($secure_link = "") {
                    return 403;
                }

                if ($secure_link == 0) {
                    return 410;
                }

                alias  /path/to$file;
            }

            return 404;

            error_page  403       /forbidden.html;
            error_page  404       /not_found.html;
            error_page  410  =403 /link_expired.html;
        }

The "secure_link" directive specifies how to get hash and optional
expiration time. The hash is md5 hash encoded in base64 for URIs
(i.e., where "+" and "/" are changed to "-" and "_"). The optional time
goes after ",".
You can set hash in a URI, in a query string ($arg_secure), or in a 
cookie
($cookie_secure).

The "secure_link_expires" directive specifies should the module test
the expiration time. You may add the time in URI, etc., but may not test 
it.
The $secure_link_expires variable has the time value exctracted by
"secure_link" directive.

The "secure_link_md5" directive specifies string for md5 hash.

The $secure_link variable has the following values:

""  - no valid link
"0" - expired link
"1" - valid link


--
Igor Sysoev
http://sysoev.ru/en/

On Thu, Sep 02, 2010 at 07:52:26PM +0400, Igor Sysoev wrote:

> 
>                 if ($secure_link = "") {
>             return 404;
> You can set hash in a URI, in a query string ($arg_secure), or in a cookie
> 
> ""  - no valid link
> "0" - expired link
> "1" - valid link

Now I see that the "secure_link_expires" directive is surplus here:
if we want to test expiration time, we can do using "if ($secure_link = 
0)".
So I will remove it in the next release.


--
Igor Sysoev
http://sysoev.ru/en/

the same problem as http://forum.nginx.org/read.php?2,125959

Posted at Nginx Forum: 
http://forum.nginx.org/read.php?2,126366,126588#msg-126588

Igor Sysoev Wrote:
-------------------------------------------------------
> Changes with nginx 0.8.50                         
>               02 Sep 2010
> 
>     *) Feature: the "secure_link",
> "secure_link_md5", and 
>        "secure_link_expires" directives of the
> ngx_http_secure_link_module.

Hello!

While this is a very welcome enhancement to this module I'm having a
hard time figuring out its correct usage. It appears (to me) that
there's a limitation (bug?) in the base64 decoding.

As a simple test case I use:

location ~ ^/a/(?[0-9a-zA-Z\+/=]+) {
  secure_link_md5 "a";
  secure_link "$key";
  if ($secure_link = "") {
    return 501;
  }
  if ($secure_link != "") {
    return 502;
  }
}

A request to http://127.0.01:8182/a/DMF1ucDxtqgxw5niaXcmYQ== then
returns 502 as expected.

However if I change from:
secure_link_md5 "a";
to:
secure_link_md5 "b";
and place a request to http://127.0.01:8182/a/kutf/uauL+w61xx3dTFXjw==
I receive a 501. I immediately thought is was the / in the base64
encoded data that caused this and tried to URL encode the base64 string
but it doesn't seem to work. I also tried using the "URL applications"
variant of Base 64 without any success.

What am I missing?



regards
MÃ¥rten Gustafson

Posted at Nginx Forum: 
http://forum.nginx.org/read.php?2,126366,128387#msg-128387

chids Wrote:
> What am I missing?

What I was missing was of course the ability to combined the
information:
> The hash is md5 hash encoded in base64 for URIs (i.e., where "+" and
"/" are changed to "-" and "_")

In combination with my location regex which didn't match on "-" and "_"

Sorry for not paying proper attention to what was already explained.



regards
MÃ¥rten

Posted at Nginx Forum: 
http://forum.nginx.org/read.php?2,126366,128410#msg-128410