Nginx-0.7.18


#1

Changes with nginx 0.7.18 13 Oct
2008

*) Change: the "underscores_in_headers" directive; now nginx does 

not
allows underscores in a client request header line names.

*) Feature: the ngx_http_secure_link_module.

*) Feature: the "real_ip_header" directive supports any header.

*) Feature: the "log_subrequest" directive.

*) Feature: the $realpath_root variable.

*) Feature: the "http_502" and "http_504" parameters of the
   "proxy_next_upstream" directive.

*) Bugfix: the "http_503" parameter of the "proxy_next_upstream" or
   "fastcgi_next_upstream" directives did not work.

*) Bugfix: nginx might send a "Transfer-Encoding: chunked" heaer 

line
for HEAD requests.

*) Bugfix: now accept threshold depends on worker_connections.

#2

Great!

2008/10/13 Igor S. removed_email_address@domain.invalid:


#3

Igor S. wrote:

*) Feature: the ngx_http_secure_link_module.
*) Feature: the "log_subrequest" directive.

Any idea when we’ll have documentation on these new features?

Phillip B Oldham
The Activity People
removed_email_address@domain.invalid mailto:removed_email_address@domain.invalid


Policies

This e-mail and its attachments are intended for the above named
recipient(s) only and may be confidential. If they have come to you in
error, please reply to this e-mail and highlight the error. No action
should be taken regarding content, nor must you copy or show them to
anyone.

This e-mail has been created in the knowledge that Internet e-mail is
not a 100% secure communications medium, and we have taken steps to
ensure that this e-mail and attachments are free from any virus. We must
advise that in keeping with good computing practice the recipient should
ensure they are completely virus free, and that you understand and
observe the lack of security when e-mailing us.


#4

Hi Igor,

I downloaded and installed the new version.

Headers are as follows:

HTTP/1.1 200 OK
Server: nginx/0.7.19
Date: Mon, 13 Oct 2008 15:04:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.6
Content-Encoding: gzip

I’m a little confused by the version.

Jim


#5

On Mon, Oct 13, 2008 at 03:36:05PM +0100, Phillip B Oldham wrote:

Igor S. wrote:

*) Feature: the ngx_http_secure_link_module.
*) Feature: the “log_subrequest” directive.

Any idea when we’ll have documentation on these new features?

The “log_subrequest on|off” allows to log subrequests in access_log.

The ngx_http_secure_link_module allows to create a secure link as
/prefix/hash/link, where

  1. prefix is any symbols expect “/”;
  2. hash is md5(link, secret),
    the secret is set by secure_link_secret directive;
  3. and link is some link to secure.

Example:

 location /p/ {
     secure_link_secret  some_secret;

     if ($secure_link = "") {
         return 403;
     }
 }

The $secure_link variable is equal to a link if a hash is valid,
otherwise it is “”.


#6

On Mon, Oct 13, 2008 at 11:09:49AM -0400, Jim O. wrote:

Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.6
Content-Encoding: gzip

I’m a little confused by the version.

Sorry, this is my second error for today.
First I’ve uploaded old 0.7.18 tarball, then I’ve uploaded modern 0.7.18
with incremented version. I’ve just released correct 0.7.19 tarball.


#7

Igor S. wrote:

The ngx_http_secure_link_module allows to create a secure link as
/prefix/hash/link, where

  1. prefix is any symbols expect “/”;
  2. hash is md5(link, secret),
    the secret is set by secure_link_secret directive;
  3. and link is some link to secure.

lighttpd has a similar feature with an additional possibility to specify
a timeout: http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModSecDownload

The timeout would be a nice addition to nginx, because otherwise once
someone has received the “secure link” he can pass it around to other
people and it will never expire.

Steffen


#8

Igor S. wrote:

The ngx_http_secure_link_module allows to create a secure
link as…

[…]

lighttpd has a similar feature with an additional
possibility to specify
a timeout:
http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModSecDownloa
d

I was just wondering is this similar to lighty’s mod_secdownload.
I used this feature on one of my site so I definitely will test
this feature soon. Perhaps next week.

The timeout would be a nice addition to nginx, because
otherwise once
someone has received the “secure link” he can pass it around
to other
people and it will never expire.

Spot on. Combination of both options allow dynamically generated
link that expires at a predetermined interval. I second this
feature.


#9

Igor S. wrote:

The unique links should be created using X-Accel-Redirect, however,
I will probably add timestamps.

Using X-Accel-Redirect requires that either a) you do not have a
dedicated download-server in addition to your webserver or b) your
download-server has access to your (user) database.

The nice thing about a timeout value like in lighttpd’s mod_secdownload
is that your download-server does not even need a connection to your
database and therefore can be located anywhere you can imagine: You just
let an application running on your webserver create a secret link and
your lighttpd-download-server can validate this request completely on
its own.

So: Yes, a timeout value would be useful. :slight_smile:

Steffen


#10

I have set a secure link:
location /dl/
{
secure_link_secret lhm;
if ($secure_link == “”) {
return 503;
}
}

Then
md5(dllhm)=91fe55efd557140f7a32f7f7c1c74aa3

Then access it through
http://host/91fe55efd557140f7a32f7f7c1c74aa3/dl/,but get a 404.

Any thing wrong?

2008/10/13 Igor S. removed_email_address@domain.invalid:


#11

On Mon, Oct 13, 2008 at 05:56:47PM +0200, Steffen W. wrote:

a timeout: http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModSecDownload

The timeout would be a nice addition to nginx, because otherwise once
someone has received the “secure link” he can pass it around to other
people and it will never expire.

The current use of the module is not to create unique expiring links,
but to validate redirecting or proxying URLs such as

http://www.example.com/click/XXXXX/frod.site.com/foobar/

The unique links should be created using X-Accel-Redirect, however,
I will probably add timestamps.


#12

Also not right.
I can not get the right thing.
Can you give me an example?

2008/10/14 Anton Y. removed_email_address@domain.invalid:


#13

On Tue, Oct 14, 2008 at 04:10:58PM +0800, lhmwzy wrote:

Also not right.
I can not get the right thing.
Can you give me an example?

You also need a “rewrite” to replace an URL with a link itself only:

location /dl/
secure_link_secret lhm;
if ($secure_link = “”) {
return 403;
}
}

 root  /path/to/files;

 rewrite  ^   $secure_link  break;

}


#14

Still not ok…
I am confused…

2008/10/14 Igor S. removed_email_address@domain.invalid:


#15

On 14.10.2008 08:53, lhmwzy wrote:

Then
md5(dllhm)=91fe55efd557140f7a32f7f7c1c74aa3

Then access it through
http://host/91fe55efd557140f7a32f7f7c1c74aa3/dl/,but get a 404.

URL should be under location /d1/ e. g.

http://host/d1/7a701b100383d50fc2995ed264add62a/some_url_to_protected_resource

$ echo -n some_url_to_protected_resourcelhm | md5
7a701b100383d50fc2995ed264add62a


#16

On Tue, Oct 14, 2008 at 12:57:36PM +0400, Igor S. wrote:

On Tue, Oct 14, 2008 at 04:40:29PM +0800, lhmwzy wrote:

Still not ok…
I am confused…

  • rewrite ^ $secure_link break;
  • rewrite ^ /$secure_link break;

#17

OK.
Here is my config:

location /dll/
{
secure_link_secret lhm;
if ($secure_link = “”) {
return 403;
}
rewrite ^ /$secure_link break;
}

Then request a directory under dll
/dll/dl/

md5(dllhm)=91fe55efd557140f7a32f7f7c1c74aa3

use “http://host/dll/91fe55efd557140f7a32f7f7c1c74aa3/dl” to
request,right?

Then get “403 Forbidden”

Any thing is wrong?

2008/10/14 Igor S. removed_email_address@domain.invalid:


#18

On Tue, Oct 14, 2008 at 04:40:29PM +0800, lhmwzy wrote:

Still not ok…
I am confused…

What do you get 404 or 403 ?
If the former, what in your error_log ?


#19

On Tue, Oct 14, 2008 at 05:13:31PM +0800, lhmwzy wrote:

    }

Any thing is wrong?

Do you have index file in /dll/dl/ ? Or autoindex enabled ?


#20

My configure parameter:

–user=www --group=www --prefix=/usr/local/nginx
–with-http_stub_status_module --with-http_ssl_module --with-md5=/usr
–with-http_gzip_static_module --with-http_secure_link_module
–with-http_realip_module --with-poll_module

2008/10/14 lhmwzy removed_email_address@domain.invalid: