Compatibility with ngx_http_secure_link_module

nginx-modules · Feb 24, 2019 · e612b04 · e612b04
1 parent ac9bd5a
commit e612b04
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -1,33 +1,33 @@
 Nginx HMAC Secure Link Module
---
+=============================
 
 Description:
---
+============
 
 The Nginx HMAC secure link module enhances the security and functionality of the standard secure link module.  
 Secure token is created using secure HMAC construction with an arbitrary hash algorithm supported by OpenSSL, e.g., `md5`, `sha1`, `sha256`, `sha512`. Furthermore, secure token is created as described in RFC2104, that is, `H(secret_key XOR opad,H(secret_key XOR ipad, message))` instead of a simple `MD5(secret_key,message, expire)`.
 
 Installation:
---
+=============
 
 You'll need to re-compile Nginx from source to include this module.  
 Modify your compile of Nginx by adding the following directive (modified to suit your path of course):
 
 Static module (built-in nginx binary)
 
-    ./configure --add-module=/absolute/path/to/nginx-hmac-secure-link
+    ./configure --add-module=/absolute/path/to/ngx_http_hmac_secure_link_module
 
 Dynamic nginx module `ngx_http_hmac_secure_link_module.so` module
 
-    ./configure --add-dynamic-module=/absolute/path/to/nginx-hmac-secure-link
+    ./configure --add-dynamic-module=/absolute/path/to/ngx_http_hmac_secure_link_module
 
 Build Nginx
 
     make
     make install
 
 Usage:
---
+======
 
 Message to be hashed is defined by `secure_link_hmac_message`, `secret_key` is given by `secure_link_hmac_secret`, and hashing algorithm H is defined by `secure_link_hmac_algorithm`.
 
@@ -40,7 +40,7 @@ Configuration example for server side.
 ```nginx
 location ^~ /files/ {
     # Variable to be passed are secure token, timestamp, expiration period (optional)
-    secure_link  $arg_st,$arg_ts,$arg_e;
+    secure_link_hmac  $arg_st,$arg_ts,$arg_e;
 
     # Secret key
     secure_link_hmac_secret my_secret_key;
@@ -51,13 +51,13 @@ location ^~ /files/ {
     # Cryptographic hash function to be used
     secure_link_hmac_algorithm sha256;
 
-    # If the hash is incorrect then $secure_link is a null string.
-    # If the hash is correct but the link has already expired then $secure_link is zero.
-    # If the hash is correct and the link has not expired then $secure_link is one.
+    # If the hash is incorrect then $secure_link_hmac is a null string.
+    # If the hash is correct but the link has already expired then $secure_link_hmac is zero.
+    # If the hash is correct and the link has not expired then $secure_link_hmac is one.
 
     # In production environment, we should not reveal to potential attacker
     # why hmac authentication has failed
-    if ($secure_link != "1") {
+    if ($secure_link_hmac != "1") {
         return 404;
     }
 
@@ -108,7 +108,7 @@ $loc = "https://{$host}/files/top_secret.pdf?st={$hashmac}&ts={$timestamp}&e={$e
 
 It is also possible to use this module with a Nginx acting as proxy server.
 
-The string to be signed is defined in `secure_link_hmac_message`, the `secure_link_token` variable contains then a secure token to be passed to backend server.
+The string to be signed is defined in `secure_link_hmac_message`, the `secure_link_hmac_token` variable contains then a secure token to be passed to backend server.
 
 ```nginx
 location ^~ /backend_location/ {
@@ -118,14 +118,21 @@ location ^~ /backend_location/ {
     secure_link_hmac_secret "my_very_secret_key";
     secure_link_hmac_algorithm sha256;
 
-    proxy_pass "http://backend_server$uri?st=$secure_link_token&ts=$time_iso8601&e=$expire";
+    proxy_pass "http://backend_server$uri?st=$secure_link_hmac_token&ts=$time_iso8601&e=$expire";
 }
 ```
 
 
+Embedded Variables
+==================
+* `$secure_link_hmac` - 
+* `$secure_link_hmac_token` - 
+* `$secure_link_hmac_expires` - The lifetime of a link passed in a request.
+
+
 Contributing:
---
+=============
 
-Git source repositories: http://github.com/nginx-modules/nginx-hmac-secure-link/tree/master
+Git source repositories: http://github.com/nginx-modules/ngx_http_hmac_secure_link_module/tree/master
 
 Please feel free to fork the project at GitHub and submit pull requests or patches.
diff --git a/ngx_http_hmac_secure_link_module.c b/ngx_http_hmac_secure_link_module.c
@@ -35,7 +35,7 @@ static ngx_int_t ngx_http_secure_link_add_variables(ngx_conf_t *cf);
 
 static ngx_command_t  ngx_http_hmac_secure_link_commands[] = {
 
-    { ngx_string("secure_link"),
+    { ngx_string("secure_link_hmac"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_http_set_complex_value_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
@@ -99,13 +99,13 @@ ngx_module_t  ngx_http_hmac_secure_link_module = {
 
 
 static ngx_http_variable_t ngx_http_secure_link_vars[] = {
-    { ngx_string("secure_link"), NULL,
+    { ngx_string("secure_link_hmac"), NULL,
       ngx_http_secure_link_variable, 0, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
-    { ngx_string("secure_link_expires"), NULL,
+    { ngx_string("secure_link_hmac_expires"), NULL,
       ngx_http_secure_link_expires_variable, 0, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
-    { ngx_string("secure_link_token"), NULL,
+    { ngx_string("secure_link_hmac_token"), NULL,
       ngx_http_secure_link_token_variable, 0, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
     { ngx_null_string, NULL, NULL, 0, 0, 0}
@@ -124,7 +124,7 @@ ngx_http_secure_link_variable(ngx_http_request_t *r,
     u_char                        hash_buf[EVP_MAX_MD_SIZE], hmac_buf[EVP_MAX_MD_SIZE];
     u_int                         hmac_len;
     time_t                        timestamp, expires, gmtoff;
-    int_t                         year, month, mday, hour, min, sec, gmtoff_hour, gmtoff_min;
+    int                           year, month, mday, hour, min, sec, gmtoff_hour, gmtoff_min;
     char                          gmtoff_sign;
 
     conf = ngx_http_get_module_loc_conf(r, ngx_http_hmac_secure_link_module);
@@ -157,8 +157,10 @@ ngx_http_secure_link_variable(ngx_http_request_t *r,
                         sizeof("1970-09-28T12:00:00+06:00")-1, p);
 
         /* Parse timestamp in ISO8601 format */
-        if (sscanf((char *)p, "%d-%d-%dT%d:%d:%d%c%d:%d",
-                               &year, &month, &mday, &hour, &min, &sec,
+        if (sscanf((char *)p, "%4d-%02d-%02dT%02d:%02d:%02d%c%02d:%02d",
+                               (ngx_tm_year_t *) &year, (ngx_tm_mon_t *) &month,
+                               (ngx_tm_mday_t *) &mday, (ngx_tm_hour_t *) &hour,
+                               (ngx_tm_min_t *) &min, (ngx_tm_sec_t *) &sec,
                                &gmtoff_sign, &gmtoff_hour, &gmtoff_min) < 9) {
             goto not_found;
         }