Mercurial > hg > nginx-site

annotate xml/en/docs/http/ngx_http_secure_link_module.xml @ 830:42750c1b8d1b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Secure_link: documented newer operation mode.
author Ruslan Ermilov <ru@nginx.com>
date Mon, 04 Feb 2013 18:13:55 +0400
parents 764fbac1b8b4
children 95c3c3bbf1ce
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
1 <?xml version="1.0"?>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
2
580
be54c443235a Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents: 348
diff changeset
3 <!--
be54c443235a Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents: 348
diff changeset
4 Copyright (C) Igor Sysoev
be54c443235a Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents: 348
diff changeset
5 Copyright (C) Nginx, Inc.
be54c443235a Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents: 348
diff changeset
6 -->
be54c443235a Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents: 348
diff changeset
7
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
9
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
10 <module name="Module ngx_http_secure_link_module"
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
11 link="/en/docs/http/ngx_http_secure_link_module.html"
589
764fbac1b8b4 Added document revision.
Ruslan Ermilov <ru@nginx.com>
parents: 580
diff changeset
12 lang="en"
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
13 rev="2">
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
14
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
15 <section id="summary">
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
16
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
17 <para>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
18 The <literal>ngx_http_secure_link_module</literal> module (0.7.18)
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
19 allows to check authenticity of requested links,
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
20 protect resources from unauthorized access,
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
21 and limit lifetime of links.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
22 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
23
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
24 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
25 The authenticity of a requested link is verified by comparing the
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
26 checksum value passed in a request with the value computed
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
27 for the request.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
28 If link has a limited lifetime and the time has expired,
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
29 the link is considered outdated.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
30 Status of these checks is made available in the
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
31 <var>$secure_link</var> variable.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
32 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
33
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
34 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
35 The module provides two alternative operation modes.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
36 The first mode is enabled by the <link id="secure_link_secret"/>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
37 directive and allows to check authenticity of requested links
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
38 as well as protect resources from unauthorized access.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
39 The second mode (0.8.50) is enabled by the
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
40 <link id="secure_link"/> and <link id="secure_link_md5"/>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
41 directives, and also allows to limit lifetime of links.
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
42 </para>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
43
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
44 <para>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
45 This module is not built by default, it should be enabled with the
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
46 <literal>--with-http_secure_link_module</literal>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
47 configuration parameter.
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
48 </para>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
49
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
50 </section>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
51
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
52
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
53 <section id="directives" name="Directives">
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
54
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
55 <directive name="secure_link">
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
56 <syntax><value>expression</value></syntax>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
57 <default/>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
58 <context>http</context>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
59 <context>server</context>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
60 <context>location</context>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
61
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
62 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
63 Defines a string with variables from which the
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
64 checksum value and lifetime of a link are to be extracted.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
65 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
66
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
67 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
68 Variables used in an <value>expression</value> are usually associated
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
69 with a request; see <link id="secure_link_md5">example</link> below.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
70 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
71
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
72 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
73 Checksum value extracted from the string is compared with
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
74 MD5 hash value computed for expression defined by the
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
75 <link id="secure_link_md5"/> directive.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
76 If checksums are different, the <var>$secure_link</var> variable
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
77 is set to an empty string.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
78 If checksums are the same, lifetime of a link is checked.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
79 If link has a limited lifetime and the time has expired,
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
80 the <var>$secure_link</var> variable is set to “<literal>0</literal>”.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
81 Otherwise, it is set to “<literal>1</literal>”.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
82 MD5 hash value passed in a request is encoded in
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
83 <link url="http://tools.ietf.org/html/rfc4648#section-5">base64url</link>.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
84 </para>
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
85
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
86 <para>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
87 If link has a limited lifetime, an expiration time
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
88 is set in seconds since Epoch (Thu, 01 Jan 1970 00:00:00 GMT).
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
89 The value is specified in an expression after MD5 hash,
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
90 and is separated by comma.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
91 An expiration time passed in a request is made available in
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
92 the <var>$secure_link_expires</var> variable for use in
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
93 the <link id="secure_link_md5"/> directive.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
94 If expiration time is not specified, a link has unlimited
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
95 lifetime.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
96 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
97
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
98 </directive>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
99
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
100
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
101 <directive name="secure_link_md5">
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
102 <syntax><value>expression</value></syntax>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
103 <default/>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
104 <context>http</context>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
105 <context>server</context>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
106 <context>location</context>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
107
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
108 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
109 Defines an expression for which the MD5 hash value is to
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
110 be computed and compared with the value passed in a request.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
111 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
112
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
113 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
114 An expression should contain the secured part of a link (resource)
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
115 and a secret ingredient.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
116 If link has a limited lifetime,
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
117 an expression should also contain <var>$secure_link_expires</var>.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
118 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
119
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
120 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
121 To prevent unauthorized access, an expression may contain some
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
122 information about the client, such as its address and version
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
123 of the browser.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
124 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
125
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
126 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
127 Example:
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
128 <example>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
129 location /s/ {
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
130 secure_link $arg_md5,$arg_expires;
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
131 secure_link_md5 "$secure_link_expires$uri$remote_addr secret";
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
132
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
133 if ($secure_link = "") {
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
134 return 403;
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
135 }
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
136
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
137 if ($secure_link = "0") {
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
138 return 410;
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
139 }
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
140
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
141 ...
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
142 }
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
143 </example>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
144 The link
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
145 “<literal>/s/link?md5=_e4Nc3iduzkWRm01TBBNYw&amp;expires=2147483647</literal>”
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
146 restricts access to “<literal>/s/link</literal>” for the client with IP address
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
147 127.0.0.1.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
148 The link also has a limited lifetime until January 19, 2038 (GMT).
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
149 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
150
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
151 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
152 On UNIX, the <value>md5</value> request argument value can be obtained as:
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
153 <example>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
154 echo -n '2147483647/s/link127.0.0.1 secret' | \
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
155 openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
156 </example>
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
157 </para>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
158
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
159 </directive>
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
160
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
161
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
162 <directive name="secure_link_secret">
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
163 <syntax><value>word</value></syntax>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
164 <default/>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
165 <context>location</context>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
166
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
167 <para>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
168 Defines a secret <value>word</value> used to check authenticity
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
169 of requested links.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
170 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
171
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
172 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
173 The full URI of a requested link looks as follows:
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
174 <example>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
175 /<value>prefix</value>/<value>hash</value>/<value>link</value>
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
176 </example>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
177 where <value>hash</value> is a hexadecimal representation of an
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
178 MD5 hash computed for the concatenation of link and secret word,
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
179 and <value>prefix</value> is an arbitrary string without slashes.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
180 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
181
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
182 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
183 If requested link passes the authenticity check,
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
184 the <var>$secure_link</var> variable is set to the link
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
185 extracted from the request URI.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
186 Otherwise, the <var>$secure_link</var> variable
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
187 is set to an empty string.
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
188 </para>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
189
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
190 <para>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
191 Example:
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
192 <example>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
193 location /p/ {
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
194 secure_link_secret secret;
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
195
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
196 if ($secure_link = "") {
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
197 return 403;
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
198 }
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
199
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
200 rewrite ^ /secure/$secure_link;
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
201 }
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
202
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
203 location /secure/ {
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
204 internal;
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
205 }
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
206 </example>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
207 A request of “<literal>/p/5e814704a28d9bc1914ff19fa0c4a00a/link</literal>”
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
208 will be internally redirected to
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
209 “<literal>/secure/link</literal>”.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
210 </para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
211
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
212 <para>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
213 On UNIX, the hash value for this example can be obtained as:
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
214 <example>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
215 echo -n 'linksecret' | openssl md5 -hex
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
216 </example>
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
217 </para>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
218
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
219 </directive>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
220
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
221 </section>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
222
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
223
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
224 <section id="variables" name="Embedded Variables">
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
225
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
226 <para>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
227 <list type="tag" compact="no">
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
228
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
229 <tag-name><var>$secure_link</var></tag-name>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
230 <tag-desc>
830
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
231 Status of a link check.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
232 The specific value depends on the selected operation mode.
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
233 </tag-desc>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
234
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
235 <tag-name><var>$secure_link_expires</var></tag-name>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
236 <tag-desc>
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
237 Lifetime of a link passed in a request;
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
238 intended to be used only in the
42750c1b8d1b Secure_link: documented newer operation mode.
Ruslan Ermilov <ru@nginx.com>
parents: 589
diff changeset
239 <link id="secure_link_md5"/> directive.
348
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
240 </tag-desc>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
241
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
242 </list>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
243 </para>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
244
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
245 </section>
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
246
5a848934a12d English translation of ngx_http_geoip_module, ngx_http_map_module,
Ruslan Ermilov <ru@nginx.com>
parents:
diff changeset
247 </module>