auth_hash
The 'auth_hash' directive enables the secure link hash authentication feature in NGINX, allowing for secure linking using hashes.
Description
The auth_hash directive activates secure link hash authentication, allowing users to secure resources accessed via NGINX. By enabling this directive, the NGINX server will compute a secure hash based on a message that includes sensitive data such as URIs and secret keys combined with timestamp values or expiration periods. This hash is then used as a token to validate requests, ensuring that only authorized requests with valid tokens can access protected resources.
The hashing functionality further utilizes configurations such as auth_hash_message to specify the exact components to be included in the hash generation. The auth_hash_secret directive specifies the secret key used to compute the hash, while parameters like auth_hash_algorithm determine the cryptographic algorithm utilized for hashing, which can include various options available through OpenSSL. This setup not only facilitates secure links but also imposes time constraints on valid links by using optional parameters to determine the start and end of a link's validity period, reinforcing the overall security posture of the web resources served by NGINX.
Config Example
location ^~ /files/ {
auth_hash on;
auth_hash_check_time $arg_ts range_end=$arg_e format=%s;
auth_hash_check_token $arg_st format=hex;
auth_hash_secret "my_secret_key";
auth_hash_message "$uri|$arg_ts|$arg_e|$auth_hash_secret";
auth_hash_algorithm sha256;
if ($auth_hash != "1") {
return 403;
}
rewrite ^/files/(.*)$ /files/$1 break;
}Ensure the hashing algorithm provided is supported by OpenSSL, otherwise the directive will fail to compute the hash.
Always use a secure and complex secret key to prevent hash collisions or brute-force attacks.
Be cautious of the date formats and time values used to prevent invalid hash calculations,