secure_link_hmac
The secure_link_hmac directive configures HMAC-based secure links for NGINX, allowing for secure access to resources with an optional expiration time.
Description
The secure_link_hmac directive is part of the Alternative NGINX HMAC Secure Link module, which improves upon NGINX's standard secure link functionality by utilizing HMAC (Hash-based Message Authentication Code) to generate secure tokens. By specifying a single argument, this directive allows the user to define a variable that holds a secure token, which can include per-request parameters like a timestamp and an expiration period. The HMAC token is generated using a secret key, a message that typically combines the request URI, timestamp, and expiration, and a specified hashing algorithm supported by OpenSSL such as SHA256 or SHA512.
When a request is processed, NGINX will compute the HMAC of the message using the provided secret and algorithm. It then verifies this against the token provided in the request. If the computed HMAC matches the token and the link is not expired, access is granted; otherwise, the request is denied. This mechanism allows for fine control over resource availability, as links can be set to expire after a designated time frame, providing an additional layer of security against unauthorized access to sensitive resources.
Config Example
location ^~ /files/ {
secure_link_hmac "$arg_st,$arg_ts,$arg_e";
secure_link_hmac_secret "my_secret_key";
secure_link_hmac_message "$uri|$arg_ts|$arg_e";
secure_link_hmac_algorithm sha256;
if ($secure_link_hmac != "1") {
return 404;
}
rewrite ^/files/(.*)$ /files/$1 break;
}Ensure the secret key is kept safe and not exposed in logs.
Expiration time must be correctly formatted and properly managed; use UTC time when possible.
HMAC token needs to be generated with the same settings; a mismatch will lead to access failure.