nginx-site: xml/en/docs/http/ngx_http_secure_link

comparison xml/en/docs/http/ngx_http_secure_link_module.xml @ 830:42750c1b8d1b

Secure_link: documented newer operation mode.

author	Ruslan Ermilov <ru@nginx.com>
date	Mon, 04 Feb 2013 18:13:55 +0400
parents	764fbac1b8b4
children	95c3c3bbf1ce

comparison

equal deleted inserted replaced

-:eb4f221921fa
+:42750c1b8d1b
 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
 <module name="Module ngx_http_secure_link_module"
 link="/en/docs/http/ngx_http_secure_link_module.html"
 lang="en"
-rev="1">
+rev="2">
 <section id="summary">
 <para>
-The <literal>ngx_http_secure_link_module</literal> module (0.7.18+) checks
+The <literal>ngx_http_secure_link_module</literal> module (0.7.18)
-the validity of the requested link.
+allows to check authenticity of requested links,
+protect resources from unauthorized access,
+and limit lifetime of links.
+</para>
+<para>
+The authenticity of a requested link is verified by comparing the
+checksum value passed in a request with the value computed
+for the request.
+If link has a limited lifetime and the time has expired,
+the link is considered outdated.
+Status of these checks is made available in the
+<var>$secure_link</var> variable.
+</para>
+<para>
+The module provides two alternative operation modes.
+The first mode is enabled by the <link id="secure_link_secret"/>
+directive and allows to check authenticity of requested links
+as well as protect resources from unauthorized access.
+The second mode (0.8.50) is enabled by the
+<link id="secure_link"/> and <link id="secure_link_md5"/>
+directives, and also allows to limit lifetime of links.
 </para>
 <para>
 This module is not built by default, it should be enabled with the
 <literal>--with-http_secure_link_module</literal>
 </para>
 </section>
-<section id="example" name="Example Configuration">
+<section id="directives" name="Directives">
-<para>
+<directive name="secure_link">
-<example>
+<syntax><value>expression</value></syntax>
-location /p/ {
+<default/>
-secure_link_secret some_secret_word;
+<context>http</context>
+<context>server</context>
+<context>location</context>
+<para>
+Defines a string with variables from which the
+checksum value and lifetime of a link are to be extracted.
+</para>
+<para>
+Variables used in an <value>expression</value> are usually associated
+with a request; see <link id="secure_link_md5">example</link> below.
+</para>
+<para>
+Checksum value extracted from the string is compared with
+MD5 hash value computed for expression defined by the
+<link id="secure_link_md5"/> directive.
+If checksums are different, the <var>$secure_link</var> variable
+is set to an empty string.
+If checksums are the same, lifetime of a link is checked.
+If link has a limited lifetime and the time has expired,
+the <var>$secure_link</var> variable is set to “<literal>0</literal>”.
+Otherwise, it is set to “<literal>1</literal>”.
+MD5 hash value passed in a request is encoded in
+<link url="http://tools.ietf.org/html/rfc4648#section-5">base64url</link>.
+</para>
+<para>
+If link has a limited lifetime, an expiration time
+is set in seconds since Epoch (Thu, 01 Jan 1970 00:00:00 GMT).
+The value is specified in an expression after MD5 hash,
+and is separated by comma.
+An expiration time passed in a request is made available in
+the <var>$secure_link_expires</var> variable for use in
+the <link id="secure_link_md5"/> directive.
+If expiration time is not specified, a link has unlimited
+lifetime.
+</para>
+</directive>
+<directive name="secure_link_md5">
+<syntax><value>expression</value></syntax>
+<default/>
+<context>http</context>
+<context>server</context>
+<context>location</context>
+<para>
+Defines an expression for which the MD5 hash value is to
+be computed and compared with the value passed in a request.
+</para>
+<para>
+An expression should contain the secured part of a link (resource)
+and a secret ingredient.
+If link has a limited lifetime,
+an expression should also contain <var>$secure_link_expires</var>.
+</para>
+<para>
+To prevent unauthorized access, an expression may contain some
+information about the client, such as its address and version
+of the browser.
+</para>
+<para>
+Example:
+<example>
+location /s/ {
+secure_link $arg_md5,$arg_expires;
+secure_link_md5 "$secure_link_expires$uri$remote_addr secret";
 if ($secure_link = "") {
 return 403;
 }
+if ($secure_link = "0") {
+return 410;
+}
+...
 }
 </example>
-</para>
+The link
+“<literal>/s/link?md5=_e4Nc3iduzkWRm01TBBNYw&amp;expires=2147483647</literal>”
-</section>
+restricts access to “<literal>/s/link</literal>” for the client with IP address
+127.0.0.1.
+The link also has a limited lifetime until January 19, 2038 (GMT).
-<section id="directives" name="Directives">
+</para>
+<para>
+On UNIX, the <value>md5</value> request argument value can be obtained as:
+<example>
+echo -n '2147483647/s/link127.0.0.1 secret' | \
+openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
+</example>
+</para>
+</directive>
 <directive name="secure_link_secret">
 <syntax><value>word</value></syntax>
 <default/>
 <context>location</context>
 <para>
-Defines a secret <value>word</value> used to check the validity of the link.
+Defines a secret <value>word</value> used to check authenticity
-The full URL of the protected link looks as follows:
+of requested links.
-<example>
+</para>
-/prefix/<value>hash</value>/<value>link</value>
-</example>
+<para>
-where <value>hash</value> is computed as
+The full URI of a requested link looks as follows:
 <example>
-md5(link, secret_word);
+/<value>prefix</value>/<value>hash</value>/<value>link</value>
 </example>
-</para>
+where <value>hash</value> is a hexadecimal representation of an
+MD5 hash computed for the concatenation of link and secret word,
-<para>
+and <value>prefix</value> is an arbitrary string without slashes.
-A prefix is an arbitrary string not including a slash.
+</para>
+<para>
+If requested link passes the authenticity check,
+the <var>$secure_link</var> variable is set to the link
+extracted from the request URI.
+Otherwise, the <var>$secure_link</var> variable
+is set to an empty string.
+</para>
+<para>
+Example:
+<example>
+location /p/ {
+secure_link_secret secret;
+if ($secure_link = "") {
+return 403;
+}
+rewrite ^ /secure/$secure_link;
+}
+location /secure/ {
+internal;
+}
+</example>
+A request of “<literal>/p/5e814704a28d9bc1914ff19fa0c4a00a/link</literal>”
+will be internally redirected to
+“<literal>/secure/link</literal>”.
+</para>
+<para>
+On UNIX, the hash value for this example can be obtained as:
+<example>
+echo -n 'linksecret' | openssl md5 -hex
+</example>
 </para>
 </directive>
 </section>
 <section id="variables" name="Embedded Variables">
 <para>
-<list type="tag">
+<list type="tag" compact="no">
 <tag-name><var>$secure_link</var></tag-name>
 <tag-desc>
-equals to the link extracted from the full URL.
+Status of a link check.
-If hash is incorrect, this variable is set to an empty string.
+The specific value depends on the selected operation mode.
 </tag-desc>
+<tag-name><var>$secure_link_expires</var></tag-name>
+<tag-desc>
+Lifetime of a link passed in a request;
+intended to be used only in the
+<link id="secure_link_md5"/> directive.
+</tag-desc>
 </list>
 </para>
 </section>

Mercurial > hg > nginx-site

comparison xml/en/docs/http/ngx_http_secure_link_module.xml @ 830:42750c1b8d1b