secure_link_hmac_secret
The secure_link_hmac_secret directive specifies the secret key used for HMAC authentication in secure links.
Description
The secure_link_hmac_secret directive is essential for the operation of the HMAC secure link module in NGINX. This directive allows the user to define a secret key that is utilized in generating HMAC signatures to secure links, ensuring that only authorized requests can access certain resources. The secret key is a critical component in the construction of the HMAC token, which combines it with a message, typically comprising the requested URL, timestamps, and an optional expiration parameter. This significantly enhances the security of the link compared to standard token methods, as it is resistant to tampering.
When used, the secure_link_hmac_secret must be paired with the secure_link_hmac_message directive that defines the message to be signed. It's important to use a strong random key to reinforce the integrity of the links. The hashing algorithm used for the HMAC process can be configured through the secure_link_hmac_algorithm directive. In practice, secure links are generated on the client-side using the same HMAC algorithm as specified in the NGINX configuration, which adds a layer of authentication upon access to resources on the server.
Config Example
location ^~ /files/ {
secure_link_hmac "$arg_st,$arg_ts,$arg_e";
secure_link_hmac_secret "my_secret_key";
secure_link_hmac_message "$uri|$arg_ts|$arg_e";
secure_link_hmac_algorithm sha256;
if ($secure_link_hmac != "1") {
return 404;
}
rewrite ^/files/(.*)$ /files/$1 break;
}Ensure that the secret key is kept confidential and is not exposed in publicly accessible configurations.
Using a weak or predictable secret key compromises the security of your HMAC links.
Ensure the hashing algorithm specified is supported by your OpenSSL version. Using an unsupported algorithm may lead to configuration errors.