new ngx_http_secure_link_module with secure_link, secure_link_md5, and
secure_link_expires
diff --git a/src/http/modules/ngx_http_secure_link_module.c b/src/http/modules/ngx_http_secure_link_module.c
index 2f9351d..24af22b 100644
--- a/src/http/modules/ngx_http_secure_link_module.c
+++ b/src/http/modules/ngx_http_secure_link_module.c
@@ -11,10 +11,23 @@
typedef struct {
- ngx_str_t secret;
+ ngx_http_complex_value_t *variable;
+ ngx_http_complex_value_t *md5;
+ ngx_str_t secret;
+ ngx_flag_t expires;
} ngx_http_secure_link_conf_t;
+typedef struct {
+ ngx_str_t expires;
+} ngx_http_secure_link_ctx_t;
+
+
+static ngx_int_t ngx_http_secure_link_old_variable(ngx_http_request_t *r,
+ ngx_http_secure_link_conf_t *conf, ngx_http_variable_value_t *v,
+ uintptr_t data);
+static ngx_int_t ngx_http_secure_link_expires_variable(ngx_http_request_t *r,
+ ngx_http_variable_value_t *v, uintptr_t data);
static void *ngx_http_secure_link_create_conf(ngx_conf_t *cf);
static char *ngx_http_secure_link_merge_conf(ngx_conf_t *cf, void *parent,
void *child);
@@ -23,6 +36,27 @@
static ngx_command_t ngx_http_secure_link_commands[] = {
+ { ngx_string("secure_link"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_http_set_comlex_value_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_secure_link_conf_t, variable),
+ NULL },
+
+ { ngx_string("secure_link_md5"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_http_set_comlex_value_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_secure_link_conf_t, md5),
+ NULL },
+
+ { ngx_string("secure_link_expires"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_secure_link_conf_t, expires),
+ NULL },
+
{ ngx_string("secure_link_secret"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -65,27 +99,124 @@
};
-static ngx_str_t ngx_http_secure_link = ngx_string("secure_link");
+static ngx_str_t ngx_http_secure_link_name = ngx_string("secure_link");
+static ngx_str_t ngx_http_secure_link_expires_name =
+ ngx_string("secure_link_expires");
static ngx_int_t
ngx_http_secure_link_variable(ngx_http_request_t *r,
- ngx_http_variable_value_t *v, uintptr_t data)
+ ngx_http_variable_value_t *v, uintptr_t data)
{
- u_char *p, *start, *end, *last;
- size_t len;
- ngx_int_t n;
- ngx_uint_t i;
- ngx_md5_t md5;
+ u_char *p, *last;
+ ngx_str_t val, hash;
+ time_t expires;
+ ngx_md5_t md5;
+ ngx_http_secure_link_ctx_t *ctx;
ngx_http_secure_link_conf_t *conf;
- u_char hash[16];
+ u_char hash_buf[16], md5_buf[16];
conf = ngx_http_get_module_loc_conf(r, ngx_http_secure_link_module);
- if (conf->secret.len == 0) {
+ if (conf->secret.len) {
+ return ngx_http_secure_link_old_variable(r, conf, v, data);
+ }
+
+ if (conf->variable == NULL || conf->md5 == NULL) {
goto not_found;
}
+ if (ngx_http_complex_value(r, conf->variable, &val) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+ "secure link: \"%V\"", &val);
+
+ last = val.data + val.len;
+
+ p = ngx_strlchr(val.data, last, ',');
+ expires = 0;
+
+ if (p) {
+ val.len = p++ - val.data;
+
+ if (conf->expires) {
+ expires = ngx_atotm(p, last - p);
+ if (expires <= 0) {
+ goto not_found;
+ }
+
+ ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_secure_link_ctx_t));
+ if (ctx == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_http_set_ctx(r, ctx, ngx_http_secure_link_module);
+
+ ctx->expires.len = last - p;
+ ctx->expires.data = p;
+ }
+ }
+
+ if (val.len > 24) {
+ goto not_found;
+ }
+
+ hash.len = 16;
+ hash.data = hash_buf;
+
+ if (ngx_decode_base64url(&hash, &val) != NGX_OK) {
+ goto not_found;
+ }
+
+ if (hash.len != 16) {
+ goto not_found;
+ }
+
+ if (ngx_http_complex_value(r, conf->md5, &val) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+ "secure link md5: \"%V\"", &val);
+
+ ngx_md5_init(&md5);
+ ngx_md5_update(&md5, val.data, val.len);
+ ngx_md5_final(md5_buf, &md5);
+
+ if (ngx_memcmp(hash_buf, md5_buf, 16) != 0) {
+ goto not_found;
+ }
+
+ v->data = (u_char *) ((expires && expires < ngx_time()) ? "0" : "1");
+ v->len = 1;
+ v->valid = 1;
+ v->no_cacheable = 0;
+ v->not_found = 0;
+
+ return NGX_OK;
+
+not_found:
+
+ v->not_found = 1;
+
+ return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_secure_link_old_variable(ngx_http_request_t *r,
+ ngx_http_secure_link_conf_t *conf, ngx_http_variable_value_t *v,
+ uintptr_t data)
+{
+ u_char *p, *start, *end, *last;
+ size_t len;
+ ngx_int_t n;
+ ngx_uint_t i;
+ ngx_md5_t md5;
+ u_char hash[16];
+
p = &r->unparsed_uri.data[1];
last = r->unparsed_uri.data + r->unparsed_uri.len;
@@ -145,6 +276,29 @@
}
+static ngx_int_t
+ngx_http_secure_link_expires_variable(ngx_http_request_t *r,
+ ngx_http_variable_value_t *v, uintptr_t data)
+{
+ ngx_http_secure_link_ctx_t *ctx;
+
+ ctx = ngx_http_get_module_ctx(r, ngx_http_secure_link_module);
+
+ if (ctx) {
+ v->len = ctx->expires.len;
+ v->valid = 1;
+ v->no_cacheable = 0;
+ v->not_found = 0;
+ v->data = ctx->expires.data;
+
+ } else {
+ v->not_found = 1;
+ }
+
+ return NGX_OK;
+}
+
+
static void *
ngx_http_secure_link_create_conf(ngx_conf_t *cf)
{
@@ -158,9 +312,13 @@
/*
* set by ngx_pcalloc():
*
- * conf->secret = { 0, NULL }
+ * conf->variable = NULL;
+ * conf->md5 = NULL;
+ * conf->secret = { 0, NULL };
*/
+ conf->expires = NGX_CONF_UNSET;
+
return conf;
}
@@ -173,6 +331,16 @@
ngx_conf_merge_str_value(conf->secret, prev->secret, "");
+ if (conf->variable == NULL) {
+ conf->variable = prev->variable;
+ }
+
+ if (conf->md5 == NULL) {
+ conf->md5 = prev->md5;
+ }
+
+ ngx_conf_merge_value(conf->expires, prev->expires, 0);
+
return NGX_CONF_OK;
}
@@ -182,12 +350,19 @@
{
ngx_http_variable_t *var;
- var = ngx_http_add_variable(cf, &ngx_http_secure_link, NGX_HTTP_VAR_NOHASH);
+ var = ngx_http_add_variable(cf, &ngx_http_secure_link_name, 0);
if (var == NULL) {
return NGX_ERROR;
}
var->get_handler = ngx_http_secure_link_variable;
+ var = ngx_http_add_variable(cf, &ngx_http_secure_link_expires_name, 0);
+ if (var == NULL) {
+ return NGX_ERROR;
+ }
+
+ var->get_handler = ngx_http_secure_link_expires_variable;
+
return NGX_OK;
}
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
index 1474f32..503c0f0 100644
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -211,6 +211,42 @@
}
+char *
+ngx_http_set_comlex_value_slot(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ char *p = conf;
+
+ ngx_str_t *value;
+ ngx_http_complex_value_t **cv;
+ ngx_http_compile_complex_value_t ccv;
+
+ cv = (ngx_http_complex_value_t **) (p + cmd->offset);
+
+ if (*cv != NULL) {
+ return "duplicate";
+ }
+
+ *cv = ngx_palloc(cf->pool, sizeof(ngx_http_complex_value_t));
+ if (*cv == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ value = cf->args->elts;
+
+ ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
+
+ ccv.cf = cf;
+ ccv.value = &value[1];
+ ccv.complex_value = *cv;
+
+ if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
+ return NGX_CONF_OK;
+}
+
+
ngx_int_t
ngx_http_test_predicates(ngx_http_request_t *r, ngx_array_t *predicates)
{
diff --git a/src/http/ngx_http_script.h b/src/http/ngx_http_script.h
index d741cea..c1288b7 100644
--- a/src/http/ngx_http_script.h
+++ b/src/http/ngx_http_script.h
@@ -207,6 +207,9 @@
ngx_int_t ngx_http_complex_value(ngx_http_request_t *r,
ngx_http_complex_value_t *val, ngx_str_t *value);
ngx_int_t ngx_http_compile_complex_value(ngx_http_compile_complex_value_t *ccv);
+char * ngx_http_set_comlex_value_slot(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
+
ngx_int_t ngx_http_test_predicates(ngx_http_request_t *r,
ngx_array_t *predicates);
