Secure Link Md5 Implementation

classic Classic list List threaded Threaded
7 messages Options
pva
Reply | Threaded
Open this post in threaded view
|

Secure Link Md5 Implementation

pva
Trying  to implement the secure link md5 token check .

Is there a way to verify  secure link i.e. to generate token using secret
key and verify the token. If it matches it should allow the request .
And also to allow the request for token which doesn't matches so that while
rolling out the update it may happen that some of the client request will
come without token .
Those request should also get allowed meanwhile till all the client are
updated with new update of enabling token based authentication.

Secondly, Is there a way to implement the token authentication with two
secret key i.e primary and secondary
So that If the first one did not work, then try the second one.
This would be helpful while changing the Secret Key in production so that
some user will be allowed with old secret and some with new secret whose
client has been updated.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275668,275668#msg-275668

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
pva
Reply | Threaded
Open this post in threaded view
|

Re: Secure Link Md5 Implementation

pva
Update your web application for example (PHP) first then how ever many hours
later when all caches for your web application have cleared restart your
Nginx so it only accepts secure links.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275668,275669#msg-275669

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
pva
Reply | Threaded
Open this post in threaded view
|

Re: Secure Link Md5 Implementation

pva
For validating all the m3u8 , below is the configuration

location  ~.*.m3u8 {

secure_link $arg_token,$arg_expires;

secure_link_md5 "appsecret$uri$arg_expires";

if ($secure_link = "") {return 403;}
if ($secure_link = "0"){return 410;}

proxy_pass <a href="http://appserver:80;">http://appserver:80;

}

What I need is the way to temporarily allow users who are not coming with
token as well.
 As when we release the update of the app, it will not get updated to
everyone at once. So temporarily want to allow users coming without token as
well.
It should be accessible to both below URL
 
http://testapp.com/video/master.m3u8?token=xyz&exp=123

http://testapp.com/video/master.m3u8

Regards,
Anish

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275668,275672#msg-275672

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
pva
Reply | Threaded
Open this post in threaded view
|

Re: Secure Link Md5 Implementation

pva
Like i said before

c0nw0nk Wrote:
-------------------------------------------------------
> Update your web application for example (PHP) first then how ever many
> hours later when all caches for your web application have cleared
> restart your Nginx so it only accepts secure links.


Update your app first so your app outputs secured links.

Then when all caches and users are ready update Nginx config / restart Nginx
to force secured links only.

Both of your links

http://testapp.com/video/master.m3u8?token=xyz&exp=123

http://testapp.com/video/master.m3u8 

Will work without Nginx being updated thats why you update your app outputs
first common sense that way everyone gets using the secured link without it
being secured but your logs will show you accepting ?token &args.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275668,275679#msg-275679

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
pva
Reply | Threaded
Open this post in threaded view
|

Re: Secure Link Md5 Implementation

pva
In reply to this post by pva
Thanks

But what about the next part when actually we are in production and if there
is need for change of secret Key on Nginx.

" Is there a way to implement the token authentication with two secret key
i.e primary and secondary
So that If the first one did not work, then try the second one.
This would be helpful while changing the Secret Key in production so that
some user will be allowed with old secret and some with new secret whose
client has been updated."

Regards,
Anish

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275668,275685#msg-275685

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
pva
Reply | Threaded
Open this post in threaded view
|

Re: Secure Link Md5 Implementation

pva
In reply to this post by pva
Any Update Please
How to use two secret Keys for Secure Link Md5.

Primary to be used by application which is in production and secondary for
application build which has been  rolled out with changed secret key i.e.
secondary.
So that application should work in both scenario meanwhile till the all the
users update the application

Please help
Inside location or server block

secure_link $arg_tok,$arg_e;
secure_link_md5 "primarysecret$arg_tok$arg_e";
secure_link_md5 "secondarysecret$arg_tok$arg_e";
if ($secure_link = "") {return 405;}
if ($secure_link = "0"){return 410;}

This gives error as secure link md5 is used twice within a location block

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275668,276348#msg-276348

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Secure Link Md5 Implementation

Francis Daly
On Wed, Sep 13, 2017 at 08:05:14AM -0400, anish10dec wrote:

Hi there,

> How to use two secret Keys for Secure Link Md5.

the stock nginx secure_link module does not support multiple/alternate keys.

I have not tested, but I guess that maybe in your primary 'if
($secure_link = "") {' section you could "rewrite ^ /ex/$uri;" and then
have a new location{} that matches those requests and uses the secondary
secret key in its config.

(Or you could rewrite the module to do what you want; but that is probably
much more work.)

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx