Directive Reference

auth_hash_message

Defines the message to be hashed for secure link authentication in NGINX.

Secure link hash authentication · httpserverlocation
Syntaxauth_hash_message string;
Defaultnone
Contexthttp, server, location
Arguments1

Description

The auth_hash_message directive is integral to the Secure Link Hash module in NGINX, which enhances secure link functionality by allowing the configuration of a custom message that will be hashed to generate a secure token. By specifying this directive, users can define what parts of the request contribute to the secure token which is then validated when accessing protected resources. The message typically combines the request URI, timestamps, or other dynamic arguments with a secret key defined by the auth_hash_secret directive. The secure token helps ensure that links expire after a defined time and can include an expiration range if needed.

To set this directive, a complex variable referencing parts of the message is passed as its argument. This variable might include NGINX variables (like $uri, request arguments, or custom variables) that can be concatenated into the string that forms the basis of the hash. When a request is made, NGINX computes the hash using the complete message defined by auth_hash_message, verifies it against the provided token, and checks for other conditions like timestamp validity defined by auth_hash_check_time and token formatting through auth_hash_check_token. This flexibility helps in creating secure, short-lived URLs that are difficult to forge.

Config Example

location ^~ /files/ {
    auth_hash on;
    auth_hash_check_time $arg_ts range_end=$arg_e format=%s;
    auth_hash_check_token $arg_st format=hex;
    auth_hash_secret "my_secret_key";
    auth_hash_message "$uri|$arg_ts|$arg_e|$auth_hash_secret";
    auth_hash_algorithm sha256;
    
    if ($auth_hash != "1") {
        return 403;
    }
    rewrite ^/files/(.*)$ /files/$1 break;
}

Make sure the variables used in the message are accurately set; undefined variables will lead to incorrect hashes.

Ensure the message string includes all expected components necessary for validation; missing elements can compromise the security of URLs.

Test the expiration timestamp format carefully; mismatched formats can prevent successful validation of the token.

Related Directives

auth_hash_secretauth_hash_algorithmauth_hash_check_timeauth_hash_check_token
← Back to all directives