http-hmac-secure-link #
Nginx HMAC Secure Link Module
Source: upstream source
Directives
secure_link_hmac #
syntax: secure_link_hmac 1 arg; · context: http, server, location
Specifies the variable expression whose evaluated value must follow the format <token>,<timestamp>[,<expires>]. **The field separator is always a comma and is required between each field.** The comma is hardcoded in the module parser; no other separator is supported here.
secure_link_hmac_algorithm #
syntax: secure_link_hmac_algorithm 1 arg (string); · default: sha256 · context: http, server, location
The OpenSSL digest name used for the HMAC. Embedded Variables ------------------
secure_link_hmac_message #
syntax: secure_link_hmac_message 1 arg; · context: http, server, location
The message whose HMAC is to be verified. Must match exactly what the client used when computing the token. Typically includes the URI and the timestamp so that tokens are URL-specific and time-bound. **The separator between fields in the message is freely chosen by the operator and may be any byte or sequence of bytes** — pipe (|), colon
secure_link_hmac_secret #
syntax: secure_link_hmac_secret 1 arg; · context: http, server, location
The HMAC secret key. Keep this out of version control.
Example
location ^~ /files/ {
# The three comma-separated fields: token, timestamp, expires (seconds)
secure_link_hmac "$arg_st,$arg_ts,$arg_e";
# HMAC secret key
secure_link_hmac_secret "my_secret_key";
# The message that was signed: URI + timestamp + expiry
secure_link_hmac_message "$uri|$arg_ts|$arg_e";
# Hash algorithm
secure_link_hmac_algorithm sha256;
# In production, do not reveal whether the token was wrong or expired.
# $secure_link_hmac == "1" → valid and not expired
# $secure_link_hmac == "0" → valid but expired
# $secure_link_hmac unset → invalid / malformed
if ($secure_link_hmac != "1") {
return 403;
}
rewrite ^/files/(.*)$ /files/$1 break;
}