Mercurial > hg > nginx-site

diff xml/en/docs/http/ngx_http_secure_link_module.xml @ 830:42750c1b8d1b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Secure_link: documented newer operation mode.
author Ruslan Ermilov <ru@nginx.com>
date Mon, 04 Feb 2013 18:13:55 +0400
parents 764fbac1b8b4
children 95c3c3bbf1ce
line wrap: on
line diff
--- a/xml/en/docs/http/ngx_http_secure_link_module.xml	Mon Feb 04 08:31:37 2013 +0000
+++ b/xml/en/docs/http/ngx_http_secure_link_module.xml	Mon Feb 04 18:13:55 2013 +0400
@@ -10,13 +10,35 @@
 <module name="Module ngx_http_secure_link_module"
         link="/en/docs/http/ngx_http_secure_link_module.html"
         lang="en"
-        rev="1">
+        rev="2">
 
 <section id="summary">
 
 <para>
-The <literal>ngx_http_secure_link_module</literal> module (0.7.18+) checks
-the validity of the requested link.
+The <literal>ngx_http_secure_link_module</literal> module (0.7.18)
+allows to check authenticity of requested links,
+protect resources from unauthorized access,
+and limit lifetime of links.
+</para>
+
+<para>
+The authenticity of a requested link is verified by comparing the
+checksum value passed in a request with the value computed
+for the request.
+If link has a limited lifetime and the time has expired,
+the link is considered outdated.
+Status of these checks is made available in the
+<var>$secure_link</var> variable.
+</para>
+
+<para>
+The module provides two alternative operation modes.
+The first mode is enabled by the <link id="secure_link_secret"/>
+directive and allows to check authenticity of requested links
+as well as protect resources from unauthorized access.
+The second mode (0.8.50) is enabled by the
+<link id="secure_link"/> and <link id="secure_link_md5"/>
+directives, and also allows to limit lifetime of links.
 </para>
 
 <para>
@@ -28,44 +50,170 @@
 </section>
 
 
-<section id="example" name="Example Configuration">
+<section id="directives" name="Directives">
+
+<directive name="secure_link">
+<syntax><value>expression</value></syntax>
+<default/>
+<context>http</context>
+<context>server</context>
+<context>location</context>
+
+<para>
+Defines a string with variables from which the
+checksum value and lifetime of a link are to be extracted.
+</para>
+
+<para>
+Variables used in an <value>expression</value> are usually associated
+with a request; see <link id="secure_link_md5">example</link> below.
+</para>
+
+<para>
+Checksum value extracted from the string is compared with
+MD5 hash value computed for expression defined by the
+<link id="secure_link_md5"/> directive.
+If checksums are different, the <var>$secure_link</var> variable
+is set to an empty string.
+If checksums are the same, lifetime of a link is checked.
+If link has a limited lifetime and the time has expired,
+the <var>$secure_link</var> variable is set to “<literal>0</literal>”.
+Otherwise, it is set to “<literal>1</literal>”.
+MD5 hash value passed in a request is encoded in
+<link url="http://tools.ietf.org/html/rfc4648#section-5">base64url</link>.
+</para>
 
 <para>
+If link has a limited lifetime, an expiration time
+is set in seconds since Epoch (Thu, 01 Jan 1970 00:00:00 GMT).
+The value is specified in an expression after MD5 hash,
+and is separated by comma.
+An expiration time passed in a request is made available in
+the <var>$secure_link_expires</var> variable for use in
+the <link id="secure_link_md5"/> directive.
+If expiration time is not specified, a link has unlimited
+lifetime.
+</para>
+
+</directive>
+
+
+<directive name="secure_link_md5">
+<syntax><value>expression</value></syntax>
+<default/>
+<context>http</context>
+<context>server</context>
+<context>location</context>
+
+<para>
+Defines an expression for which the MD5 hash value is to
+be computed and compared with the value passed in a request.
+</para>
+
+<para>
+An expression should contain the secured part of a link (resource)
+and a secret ingredient.
+If link has a limited lifetime,
+an expression should also contain <var>$secure_link_expires</var>.
+</para>
+
+<para>
+To prevent unauthorized access, an expression may contain some
+information about the client, such as its address and version
+of the browser.
+</para>
+
+<para>
+Example:
 <example>
-location /p/ {
-    secure_link_secret some_secret_word;
+location /s/ {
+    secure_link $arg_md5,$arg_expires;
+    secure_link_md5 "$secure_link_expires$uri$remote_addr secret";
 
     if ($secure_link = "") {
         return 403;
     }
+
+    if ($secure_link = "0") {
+        return 410;
+    }
+
+    ...
 }
 </example>
+The link
+“<literal>/s/link?md5=_e4Nc3iduzkWRm01TBBNYw&amp;expires=2147483647</literal>”
+restricts access to “<literal>/s/link</literal>” for the client with IP address
+127.0.0.1.
+The link also has a limited lifetime until January 19, 2038 (GMT).
+</para>
+
+<para>
+On UNIX, the <value>md5</value> request argument value can be obtained as:
+<example>
+echo -n '2147483647/s/link127.0.0.1 secret' | \
+    openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
+</example>
 </para>
 
-</section>
+</directive>
 
 
-<section id="directives" name="Directives">
-
 <directive name="secure_link_secret">
 <syntax><value>word</value></syntax>
 <default/>
 <context>location</context>
 
 <para>
-Defines a secret <value>word</value> used to check the validity of the link.
-The full URL of the protected link looks as follows:
+Defines a secret <value>word</value> used to check authenticity
+of requested links.
+</para>
+
+<para>
+The full URI of a requested link looks as follows:
 <example>
-/prefix/<value>hash</value>/<value>link</value>
+/<value>prefix</value>/<value>hash</value>/<value>link</value>
 </example>
-where <value>hash</value> is computed as
-<example>
-md5(link, secret_word);
-</example>
+where <value>hash</value> is a hexadecimal representation of an
+MD5 hash computed for the concatenation of link and secret word,
+and <value>prefix</value> is an arbitrary string without slashes.
+</para>
+
+<para>
+If requested link passes the authenticity check,
+the <var>$secure_link</var> variable is set to the link
+extracted from the request URI.
+Otherwise, the <var>$secure_link</var> variable
+is set to an empty string.
 </para>
 
 <para>
-A prefix is an arbitrary string not including a slash.
+Example:
+<example>
+location /p/ {
+    secure_link_secret secret;
+
+    if ($secure_link = "") {
+        return 403;
+    }
+
+    rewrite ^ /secure/$secure_link;
+}
+
+location /secure/ {
+    internal;
+}
+</example>
+A request of “<literal>/p/5e814704a28d9bc1914ff19fa0c4a00a/link</literal>”
+will be internally redirected to
+“<literal>/secure/link</literal>”.
+</para>
+
+<para>
+On UNIX, the hash value for this example can be obtained as:
+<example>
+echo -n 'linksecret' | openssl md5 -hex
+</example>
 </para>
 
 </directive>
@@ -76,12 +224,19 @@
 <section id="variables" name="Embedded Variables">
 
 <para>
-<list type="tag">
+<list type="tag" compact="no">
 
 <tag-name><var>$secure_link</var></tag-name>
 <tag-desc>
-equals to the link extracted from the full URL.
-If hash is incorrect, this variable is set to an empty string.
+Status of a link check.
+The specific value depends on the selected operation mode.
+</tag-desc>
+
+<tag-name><var>$secure_link_expires</var></tag-name>
+<tag-desc>
+Lifetime of a link passed in a request;
+intended to be used only in the
+<link id="secure_link_md5"/> directive.
 </tag-desc>
 
 </list>