I am trying to use the nginx secure link module http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
I want to make secure links.
No matter what I try, I cannot get it to work when I try to uses the expire time.
It works fine when I do a simple secure link based purely on the link, without also the expire time or the ip address.
Can anyone suggest what I am doing wrong?
thanks!
***********************************************************
The command to generate the key:
ubuntu@ip-172-31-34-191:/var/www$ echo -n '2147483647/html/index.html secret' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
FsRb_uu5NsagF0hA_Z-OQg
***********************************************************
The command that fails:
ubuntu@ip-172-31-34-191:/var/www$ curl http://127.0.0.1/html/index.html?md5=FsRb_uu5NsagF0hA_Z-OQgexpires=2147483647
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
***********************************************************
Here's the relevant part of the nginx conf file:
ubuntu@ip-172-31-34-191:/var/www$ sudo cat /etc/nginx/sites-enabled/theapp_nginx.conf
...SNIP
location /html/ {
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri secret";
if ($secure_link = "") {
return 403;
}
if ($secure_link = "0") {
return 410;
}
try_files $uri $uri/ =404;
}
...SNIP
***********************************************************
Here's the nginx version info:
ubuntu@ip-172-31-34-191:/var/www$ nginx -V
nginx version: nginx/1.14.2
built with OpenSSL 1.1.0g 2 Nov 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-x0ix7n/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-headers-more-filter --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-cache-purge --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-ndk --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-fancyindex --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/nchan --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-lua --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/rtmp --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-uploadprogress --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-subs-filter
ubuntu@ip-172-31-34-191:/var/www$
I want to make secure links.
No matter what I try, I cannot get it to work when I try to uses the expire time.
It works fine when I do a simple secure link based purely on the link, without also the expire time or the ip address.
Can anyone suggest what I am doing wrong?
thanks!
***********************************************************
The command to generate the key:
ubuntu@ip-172-31-34-191:/var/www$ echo -n '2147483647/html/index.html secret' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
FsRb_uu5NsagF0hA_Z-OQg
***********************************************************
The command that fails:
ubuntu@ip-172-31-34-191:/var/www$ curl http://127.0.0.1/html/index.html?md5=FsRb_uu5NsagF0hA_Z-OQgexpires=2147483647
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
***********************************************************
Here's the relevant part of the nginx conf file:
ubuntu@ip-172-31-34-191:/var/www$ sudo cat /etc/nginx/sites-enabled/theapp_nginx.conf
...SNIP
location /html/ {
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri secret";
if ($secure_link = "") {
return 403;
}
if ($secure_link = "0") {
return 410;
}
try_files $uri $uri/ =404;
}
...SNIP
***********************************************************
Here's the nginx version info:
ubuntu@ip-172-31-34-191:/var/www$ nginx -V
nginx version: nginx/1.14.2
built with OpenSSL 1.1.0g 2 Nov 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-x0ix7n/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-headers-more-filter --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-cache-purge --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-ndk --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-fancyindex --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/nchan --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-lua --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/rtmp --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-uploadprogress --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-subs-filter
ubuntu@ip-172-31-34-191:/var/www$