Hello there,
since the only option is to modify the C source code of
nginx/src/http/modules/ngx_http_secure_link_module.c to support
hexadecimal md5 encoding in addition to base64 encoding besides
specifying an optional ttl value to add to expiration time (e.g. 3600
sec in example below) I made a patch to provide this functions in
addition to the documented behavior.
It can be used with a variant of the the configuration Igor suggested:
location /get/ {
#location ~
^/get/(?[\w-=]+)/(?\d+)(?/.+)$ { #
/get/<md5_base64>/<time_dec>
location ~
^/get/(?[[:xdigit:]]+)/(?\d+)(?/.+)$ { #
/get/<md5_hex>/<time_dec>
set $PASS sn983pjcnhupclavsnda; # secret string
secure_link $HASH,$TIME+3600;
secure_link_md5 $PASS$PATH$TIME;
if ($secure_link = "") { # invalid
return 403;
}
if ($secure_link = 0) { # expired
return 410;
}
if ($secure_link = 1) { # correct
rewrite ^ /media$PATH last;
}
}
return 404;
error_page 403 /forbidden.html;
error_page 404 /not_found.html;
error_page 410 =403 /link_expired.html;
}
I would recommend to specify /media/ as internal location to make it
accessible only for internal requests.
It should be noted that the time value here is in decimal encoding in
opposition to lighttpd’s mod_secure_dowload.c hexadecimal encoding, with
the advantege that it can easily be created via
nginx/src/http/modules/ngx_http_ssi_filter_module.c:
With this example it should be possible to support software like
flowplayer (maybe with additional mod_h264_streaming) without any
serverside scripting requirements.
Since i suspect the diff to get corrupted by posting, here is the
original: http://pastebin.com/Ln7bS48n
Maybe someone with more experience in C programming / nginx source can
look over the following patch to
nginx/src/http/modules/ngx_http_secure_link_module.c:
— nginx.orig/src/http/modules/ngx_http_secure_link_module.c
2010-09-13
14:44:43.000000000 +0200
+++ nginx/src/http/modules/ngx_http_secure_link_module.c 2011-04-10
17:12:55.000000000 +0200
@@ -100,13 +100,15 @@
ngx_http_secure_link_variable(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
- u_char *p, *q, *last;
ngx_str_t val, hash;
-
time_t expires, ttl;
ngx_md5_t md5;
ngx_http_secure_link_ctx_t *ctx;
ngx_http_secure_link_conf_t *conf;
u_char hash_buf[16], md5_buf[16];
-
ngx_int_t n;
-
ngx_uint_t i;
conf = ngx_http_get_module_loc_conf(r,
ngx_http_secure_link_module);
@@ -128,16 +130,33 @@
last = val.data + val.len;
p = ngx_strlchr(val.data, last, ',');
- if (p) { // expires
-
val.len = p - val.data;
-
if (last - ++p < 0) {
goto not_found;
}
-
q = ngx_strlchr(p, last, '+');
-
-
if (q) { // ttl
-
if (last - ++q < 0 || (ttl = ngx_atotm(q, last - q)) < 0 ||
–q - p <= 0) {
-
goto not_found;
-
}
-
} else {
-
q = last;
-
}
-
-
if ((expires = ngx_atotm(p, q - p)) <= 0) {
-
goto not_found;
-
}
-
-
expires += ttl;
-
ctx = ngx_pcalloc(r->pool,
sizeof(ngx_http_secure_link_ctx_t));
if (ctx == NULL) {
return NGX_ERROR;
@@ -145,22 +164,26 @@
ngx_http_set_ctx(r, ctx, ngx_http_secure_link_module);
- if (val.len == 32) { // hexadecimal md5
-
for (i = 0; i < 16; i++) {
-
n = ngx_hextoi(&val.data[2 * i], 2);
-
if (n == NGX_ERROR) {
-
goto not_found;
-
}
-
hash.data[i] = n;
-
}
- } else if (val.len <= 24) { // base64 md5
-
if (ngx_decode_base64url(&hash, &val) != NGX_OK || hash.len !=
- {
-
goto not_found;
-
}
- } else {
goto not_found;
}
Posted at Nginx Forum: