http-auth-hmac #

HMAC-signed URL authentication for nginx — verify shared-secret signatures on request paths to grant time-limited access to private resources.

Source: upstream source

Directives

auth_hmac #

syntax: auth_hmac 1 arg (on/off flag);  ·  context: http, server, location

Example in Perl below. #### Variable $data contains secure token, timestamp in ISO 8601 format, and expiration period in seconds A similar function in PHP Using Unix timestamp in Node.js Bash version Embedded Variables ================== * $auth_hmac - If the hash is correct and the link has not expired then $secure_link_hash is "1".

auth_hmac_algorithm #

syntax: auth_hmac_algorithm 1 arg (string);  ·  context: http, server, location

Stores a single string value.

auth_hmac_check_time #

syntax: auth_hmac_check_time 1+ args;  ·  context: http, server, location

Validates a timestamp value against an expiration range, format, and time zone.

auth_hmac_check_token #

syntax: auth_hmac_check_token 1 arg;  ·  context: http, server, location

Validates the HMAC token value, accepting hex, base64, base64url, or binary formats.

auth_hmac_message #

syntax: auth_hmac_message 1 arg;  ·  context: http, server, location

Defines the message content that gets HMAC-verified.

auth_hmac_secret #

syntax: auth_hmac_secret 1 arg;  ·  context: http, server, location

Configures the secret key used to compute the HMAC.

Example

location ^~ /files/ {
    # Enables the feature, if disabled, $auth_hmac will always be empty
    auth_hmac on;

    # Set the time value used for checking.
    # You can set the expiration time range, the format of the time value, and the time zone of the time value
    auth_hmac_check_time $arg_ts range_end=$arg_e format=%s;

    # Set the token value used for checking
    # Available formats are hex (default), base64, base64url and bin
    auth_hmac_check_token $arg_st format=hex;

    # Secret key
    auth_hmac_secret "my_secret_key";

    # Message to be verified
    auth_hmac_message "$uri|$arg_ts|$arg_e";

    # Cryptographic hash function to be used
    auth_hmac_algorithm sha256;

    # In production environment, we should not reveal to potential attacker
    # why hmac authentication has failed
    # - If the hash is incorrect then $auth_hmac is a NULL string.
    # - If the hash is correct and the link has not expired then $auth_hmac is "1".
    if ($auth_hmac != "1") {
        return 403;
    }

    rewrite ^/files/(.*)$ /files/$1 break;
}

↑ back to index