Directive Reference

secure_link_hmac_message

The `secure_link_hmac_message` directive defines the message that will be hashed using HMAC for secure link validation.

Alternative NGINX HMAC Secure Link module with support for OpenSSL hashes · httpserverlocation
Syntaxsecure_link_hmac_message string;
Defaultnone
Contexthttp, server, location
Arguments1

Description

The secure_link_hmac_message directive is part of the NGINX HMAC Secure Link module, which enhances link security by creating a secure token that uses HMAC and various hash algorithms supported by OpenSSL. The directive specifies the message that will be hashed, typically composed of sensitive information that is crucial for verifying the authenticity of a request or link. The message is usually structured to include elements such as the requested URI, a timestamp, and an optional expiration period for the link.

When the secure link is generated, the HMAC is calculated over the message and a secret key provided by the secure_link_hmac_secret directive. This approach is significantly more secure than simple hash functions because it incorporates a cryptographic mechanism for message integrity and authenticity, as described in RFC2104. To summarize, the secure_link_hmac_message sets the message that will undergo HMAC hashing, allowing NGINX to validate the integrity of requests against any potential tampering attempts.

The directive takes one argument, which must be a complex variable that defines what the message should be, such as "$uri|$arg_ts|$arg_e", ensuring that the correct parameters are hashed into the secure token. The output is utilized in conjunction with other directives like secure_link_hmac and secure_link_hmac_secret to authenticate requests effectively.

Config Example

location /protected {
    secure_link_hmac "$arg_st,$arg_ts,$arg_e";
    secure_link_hmac_secret "my_secret_key";
    secure_link_hmac_message "$uri|$arg_ts|$arg_e";
    secure_link_hmac_algorithm sha256;

    if ($secure_link_hmac != "1") {
        return 404;
    }
    # Further handling
}

Ensure that the secure_link_hmac_secret is defined; otherwise, the HMAC validation will fail.

The message must be structured correctly, including delimiters for parsing; otherwise, validation may fail.

When implementing expiration, ensure that the timestamp is correctly formatted, or the token may not validate properly.

Related Directives

secure_link_hmacsecure_link_hmac_secretsecure_link_hmac_algorithm
← Back to all directives