Nginx ngx_http_secure_link_module模块基本指令整理

原创文章，转载请指明出处并保留原文url地址

本文主要针对nginx的ngx_http_secure_link_module模块做简单介绍，本文具体包括如下指令：secure_link,secure_link_md5,secure_link_secret

该ngx_http_secure_link_module模块（0.7.18）允许检查请求的链接的真实性，保护资源免遭未经授权的访问，并限制连接的有效期。

一个请求链接的真实性验证通过校验值与请求传入数据计算值相比较获得。如果链接具有有限的有效期并且时间已过期，被认为是过时的链接。这些检查的状态值在$secure_link变量中。

该模块提供了两种可供选择的操作模式。第一种方式是由secure_link_secret指令制定并允许检查请求的链接的真实性以及保护资源免遭未经授权的访问。第二方式（0.8.50）是由secure_link和secure_link_md5指令开启，并允许限制寿命的链接。

这个模块不是系统默认的内建模块，需要通过--with-http_secure_link_module指令开启

Nginx原文：

The ngx_http_secure_link_module module (0.7.18) allows to check authenticity of requested links, protect resources from unauthorized access, and limit lifetime of links.

The authenticity of a requested link is verified by comparing the checksum value passed in a request with the value computed for the request. If link has a limited lifetime and the time has expired, the link is considered outdated. Status of these checks is made available in the $secure_link variable.

The module provides two alternative operation modes. The first mode is enabled by the secure_link_secret directive and allows to check authenticity of requested links as well as protect resources from unauthorized access. The second mode (0.8.50) is enabled by the secure_link and secure_link_md5 directives, and also allows to limit lifetime of links.

This module is not built by default, it should be enabled with the --with-http_secure_link_module configuration parameter.

1. secure_link

syntax:	secure_link expression;
default:	—
context:	http, server, location

定义一个字符串变量，链接的校验值和有效期从其中获取。

在表达式中使用的变量通常与请求相关；见下面的例子。

校验和是从字符串中提取的用MD5算法并通过secure_link_md5指令设置的参数计算哈希值表达计算的值字符串，如果校验和不同，secure_link变量被设置为空字符串。如果校验和是相同的，一个链接的有效期被检查。如果链接具有有限的有效期并且时间已过期，secure_link变量设置为“0”。否则，它被设置为“1”。MD5哈希值在一个请求中传递，编码是base64url方式。

如果链接有一个有限的有效期，过期时间以秒为单位从（Thu，01月1970 00:00:00格林尼治标准时间）到现在的秒数。有效期值添加到MD5哈希值后面，并用逗号分开。在请求中传递的到期时间可在secure_link_expires变量何secure_link_md5指令中使用。如果未指定到期时间，链接有无限的寿命。

Nginx原文：

Defines a string with variables from which the checksum value and lifetime of a link are to be extracted.

Variables used in an expression are usually associated with a request; see example below.

Checksum value extracted from the string is compared with MD5 hash value computed for expression defined by the secure_link_md5 directive. If checksums are different, the $secure_link variable is set to an empty string. If checksums are the same, lifetime of a link is checked. If link has a limited lifetime and the time has expired, the $secure_link variable is set to “0”. Otherwise, it is set to “1”. MD5 hash value passed in a request is encoded in base64url.

If link has a limited lifetime, an expiration time is set in seconds since Epoch (Thu, 01 Jan 1970 00:00:00 GMT). The value is specified in an expression after MD5 hash, and is separated by comma. An expiration time passed in a request is made available in the $secure_link_expires variable for use in the secure_link_md5 directive. If expiration time is not specified, a link has unlimited lifetime.

2. secure_link_md5

syntax:	secure_link_md5 expression;
default:	—
context:	http, server, location

定义一个用于同请求传入值比较的来计算md5值的表达式。

一个表达应该包含一个链接的被保护部分以及加密部分。如果链接具有有限的存在期，表达也应包含secure_link_expires美元。

为了防止未经授权的访问，表达可能包含一些关于客户的信息，如地址和浏览器的版本。

示例如下：

location /s/ {

secure_link $arg_md5,$arg_expires;

secure_link_md5 "$secure_link_expires$uri$remote_addr secret";

if ($secure_link = "") {

return 403;

}

if ($secure_link = "0") {

return 410;

}

...

}

这个链接“/s/link?md5=_e4Nc3iduzkWRm01TBBNYw&expires=2147483647”限制对“/s/link”的访问，要求客户端必须是127.0.0.1的计算机才能接受，同时这个链接也限制了访问时间必须是在January 19, 2038 (GMT).之前。

在UNIX 上MD5参数可以用下面办法得到：

echo -n '2147483647/s/link127.0.0.1 secret' | \

openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =

Nginx原文：

Defines an expression for which the MD5 hash value is to be computed and compared with the value passed in a request.

An expression should contain the secured part of a link (resource) and a secret ingredient. If link has a limited lifetime, an expression should also contain $secure_link_expires.

To prevent unauthorized access, an expression may contain some information about the client, such as its address and version of the browser.

Example:

location /s/ {

secure_link $arg_md5,$arg_expires;

secure_link_md5 "$secure_link_expires$uri$remote_addr secret";

if ($secure_link = "") {

return 403;

}

if ($secure_link = "0") {

return 410;

}

...

}

The link “/s/link?md5=_e4Nc3iduzkWRm01TBBNYw&expires=2147483647” restricts access to “/s/link” for the client with IP address 127.0.0.1. The link also has a limited lifetime until January 19, 2038 (GMT).

On UNIX, the md5 request argument value can be obtained as:

echo -n '2147483647/s/link127.0.0.1 secret' | \

openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =

3. secure_link_secret

syntax:	secure_link_secret word;
default:	—
context:	location

定义了一个用于检查请求的链接真实性加密字

一个完整的URI请求的链接如下：

/prefix/hash/link

MD5方式的哈希值用十六进制表示同链接的加密字关联，前缀是一个没有斜线任意字符串。

如果被请求的链接通过真实性检查，$secure_link变量设置为从请求中提取的链接。否则，$secure_link变量被设置为空字符串。

示例如下：

location /p/ {

secure_link_secret secret;

if ($secure_link = "") {

return 403;

}

rewrite ^ /secure/$secure_link;

}

location /secure/ {

internal;

}

请求“/p/5e814704a28d9bc1914ff19fa0c4a00a/link”将在内部重定向到“/secure/link”。

在UNIX 上MD5参数可以用下面办法得到：

echo -n 'linksecret' | openssl md5 -hex

Nginx原文：

Defines a secret word used to check authenticity of requested links.

The full URI of a requested link looks as follows:

/prefix/hash/link

where hash is a hexadecimal representation of an MD5 hash computed for the concatenation of link and secret word, and prefix is an arbitrary string without slashes.

If requested link passes the authenticity check, the $secure_link variable is set to the link extracted from the request URI. Otherwise, the $secure_link variable is set to an empty string.

Example:

location /p/ {

secure_link_secret secret;

if ($secure_link = "") {

return 403;

}

rewrite ^ /secure/$secure_link;

}

location /secure/ {

internal;

}

A request of “/p/5e814704a28d9bc1914ff19fa0c4a00a/link” will be internally redirected to “/secure/link”.