secure_link_hmac_algorithm
Defines the HMAC hashing algorithm used to create secure links in NGINX.
Description
The secure_link_hmac_algorithm directive specifies the cryptographic hash function utilized to generate HMAC (Hash-based Message Authentication Code) for secure links within the NGINX server. This directive, part of the Alternative NGINX HMAC Secure Link module, allows users to choose from a variety of hashing algorithms supported by OpenSSL such as sha256, sha512, md5, and many others. The specific hash function selected impacts both the security level and performance of link validation operations, as different algorithms have varying degrees of complexity and collision resistance.
When a secure link is accessed, NGINX will use the algorithm specified by this directive to compute the HMAC from a composed message which usually contains the URI, a timestamp, and an optional expiration period. The resulting HMAC is then compared against the token provided in the HTTP request to verify the integrity and validity of the link. If the calculated HMAC matches the token, and the link has not expired, access is granted. This flexibility supports various security frameworks and ensures that link generation adheres to organizational security policies.
Config Example
location ^~ /files/ {
secure_link_hmac "$arg_st,$arg_ts,$arg_e";
secure_link_hmac_secret "my_secret_key";
secure_link_hmac_message "$uri|$arg_ts|$arg_e";
secure_link_hmac_algorithm sha256;
if ($secure_link_hmac != "1") {
return 404;
}
rewrite ^/files/(.*)$ /files/$1 break;
}Ensure that the algorithm specified is supported by the OpenSSL version used with NGINX.
Changing the algorithm may require updating both server-side and client-side implementations to ensure compatibility.
If using a less secure algorithm like MD5, acknowledge the associated security risks.