acl

The acl directive in the Secure Token module for NGINX is used to define access control rules that are embedded into the secure tokens generated for resource access. This directive accepts one argument—a complex value that specifies the access control list (ACL) rules. The purpose of the ACL is to restrict access to certain resources based on specified criteria such as user IP addresses, URIs, or other parameters. This directive ensures that only requests that conform to the defined ACL rules will be able to successfully retrieve the secure token and subsequently access the protected resources.

When the server processes a request, it evaluates the defined acl against the incoming request parameters. If the request matches the defined ACL conditions, a secure token is generated that includes these conditions. The secure token comprises components such as expiration time, ACL parameters, and an HMAC signature for validation. Should the request not meet the ACL conditions, the secure token validation will fail, thereby denying access to the requested resource. This mechanism helps in implementing fine-grained access control for content distributed through CDNs, enhancing the security of video streams or other sensitive assets.

The acl directive is typically used within the context of the secure token blocks—specifically secure_token_akamai and secure_token_cloudfront—which handle the generation of tokens for respective CDNs. Properly configuring the ACL can significantly influence both access security and performance, as it establishes critical rules governing who can retrieve tokens and access content.