http-auth-hmac #
HMAC-signed URL authentication for nginx — verify shared-secret signatures on request paths to grant time-limited access to private resources.
Source: upstream source
Directives
auth_hmac #
syntax: auth_hmac 1 arg (on/off flag); · context: http, server, location
Example in Perl below. #### Variable $data contains secure token, timestamp in ISO 8601 format, and expiration period in seconds A similar function in PHP Using Unix timestamp in Node.js Bash version Embedded Variables ================== * $auth_hmac - If the hash is correct and the link has not expired then $secure_link_hash is "1".
auth_hmac_algorithm #
syntax: auth_hmac_algorithm 1 arg (string); · context: http, server, location
Stores a single string value.
auth_hmac_check_time #
syntax: auth_hmac_check_time 1+ args; · context: http, server, location
Validates a timestamp value against an expiration range, format, and time zone.
auth_hmac_check_token #
syntax: auth_hmac_check_token 1 arg; · context: http, server, location
Validates the HMAC token value, accepting hex, base64, base64url, or binary formats.
auth_hmac_message #
syntax: auth_hmac_message 1 arg; · context: http, server, location
Defines the message content that gets HMAC-verified.
auth_hmac_secret #
syntax: auth_hmac_secret 1 arg; · context: http, server, location
Configures the secret key used to compute the HMAC.
Example
location ^~ /files/ {
# Enables the feature, if disabled, $auth_hmac will always be empty
auth_hmac on;
# Set the time value used for checking.
# You can set the expiration time range, the format of the time value, and the time zone of the time value
auth_hmac_check_time $arg_ts range_end=$arg_e format=%s;
# Set the token value used for checking
# Available formats are hex (default), base64, base64url and bin
auth_hmac_check_token $arg_st format=hex;
# Secret key
auth_hmac_secret "my_secret_key";
# Message to be verified
auth_hmac_message "$uri|$arg_ts|$arg_e";
# Cryptographic hash function to be used
auth_hmac_algorithm sha256;
# In production environment, we should not reveal to potential attacker
# why hmac authentication has failed
# - If the hash is incorrect then $auth_hmac is a NULL string.
# - If the hash is correct and the link has not expired then $auth_hmac is "1".
if ($auth_hmac != "1") {
return 403;
}
rewrite ^/files/(.*)$ /files/$1 break;
}