The ngx_http_secure_link_module module (0.7.18) allows to check authenticity of requested links, protect resources from unauthorized access, and limit lifetime of links.

The authenticity of a requested link is verified by comparing the checksum value passed in a request with the value computed for the request. If link has a limited lifetime and the time has expired, the link is considered outdated. Status of these checks is made available in the $secure_link variable.

The module provides two alternative operation modes. The first mode is enabled by the secure_link_secret directive and allows to check authenticity of requested links as well as protect resources from unauthorized access. The second mode (0.8.50) is enabled by the secure_link and secure_link_md5 directives, and also allows to limit lifetime of links.

This module is not built by default, it should be enabled with the --with-http_secure_link_module configuration parameter.

Defines a string with variables from which the checksum value and lifetime of a link are to be extracted.

Variables used in an expression are usually associated with a request; see example below.

Checksum value extracted from the string is compared with MD5 hash value computed for expression defined by the secure_link_md5 directive. If checksums are different, the $secure_link variable is set to an empty string. If checksums are the same, lifetime of a link is checked. If link has a limited lifetime and the time has expired, the $secure_link variable is set to “0”. Otherwise, it is set to “1”. MD5 hash value passed in a request is encoded in base64url.

If link has a limited lifetime, an expiration time is set in seconds since Epoch (Thu, 01 Jan 1970 00:00:00 GMT). The value is specified in an expression after MD5 hash, and is separated by comma. An expiration time passed in a request is made available in the $secure_link_expires variable for use in the secure_link_md5 directive. If expiration time is not specified, a link has unlimited lifetime.

Defines an expression for which the MD5 hash value is to be computed and compared with the value passed in a request.

An expression should contain the secured part of a link (resource) and a secret ingredient. If link has a limited lifetime, an expression should also contain $secure_link_expires.

To prevent unauthorized access, an expression may contain some information about the client, such as its address and version of the browser.

Example:

location /s/ {
    secure_link $arg_md5,$arg_expires;
    secure_link_md5 "$secure_link_expires$uri$remote_addr secret";

    if ($secure_link = "") {
        return 403;
    }

    if ($secure_link = "0") {
        return 410;
    }

    ...
}

The link “/s/link?md5=_e4Nc3iduzkWRm01TBBNYw&expires=2147483647” restricts access to “/s/link” for the client with IP address 127.0.0.1. The link also has a limited lifetime until January 19, 2038 (GMT).

On UNIX, the md5 request argument value can be obtained as:

echo -n '2147483647/s/link127.0.0.1 secret' | \
    openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =

Defines a secret word used to check authenticity of requested links.

The full URI of a requested link looks as follows:

/prefix/hash/link

where hash is a hexadecimal representation of an MD5 hash computed for the concatenation of link and secret word, and prefix is an arbitrary string without slashes.

If requested link passes the authenticity check, the $secure_link variable is set to the link extracted from the request URI. Otherwise, the $secure_link variable is set to an empty string.

Example:

location /p/ {
    secure_link_secret secret;

    if ($secure_link = "") {
        return 403;
    }

    rewrite ^ /secure/$secure_link;
}

location /secure/ {
    internal;
}

A request of “/p/5e814704a28d9bc1914ff19fa0c4a00a/link” will be internally redirected to “/secure/link”.

On UNIX, the hash value for this example can be obtained as:

echo -n 'linksecret' | openssl md5 -hex

$secure_link

Status of a link check. The specific value depends on the selected operation mode.

$secure_link_expires

Lifetime of a link passed in a request; intended to be used only in the secure_link_md5 directive.