/* * Copyright (C) Nginx, Inc. */ #include #include #include #include typedef struct { ngx_http_complex_value_t *hash; ngx_str_t secret; } ngx_http_hash_access_loc_conf_t; static ngx_int_t ngx_http_hash_access_handler(ngx_http_request_t *r); static void *ngx_http_hash_access_create_loc_conf(ngx_conf_t *cf); static char *ngx_http_hash_access_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); static ngx_int_t ngx_http_hash_access_init(ngx_conf_t *cf); static ngx_command_t ngx_http_hash_access_commands[] = { { ngx_string("hash_access"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_http_set_complex_value_slot, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_hash_access_loc_conf_t, hash), NULL }, { ngx_string("hash_access_secret"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_hash_access_loc_conf_t, secret), NULL }, ngx_null_command }; static ngx_http_module_t ngx_http_hash_access_module_ctx = { NULL, /* preconfiguration */ ngx_http_hash_access_init, /* postconfiguration */ NULL, /* create main configuration */ NULL, /* init main configuration */ NULL, /* create server configuration */ NULL, /* merge server configuration */ ngx_http_hash_access_create_loc_conf, /* create location configuration */ ngx_http_hash_access_merge_loc_conf /* merge location configuration */ }; ngx_module_t ngx_http_hash_access_module = { NGX_MODULE_V1, &ngx_http_hash_access_module_ctx, /* module context */ ngx_http_hash_access_commands, /* module directives */ NGX_HTTP_MODULE, /* module type */ NULL, /* init master */ NULL, /* init module */ NULL, /* init process */ NULL, /* init thread */ NULL, /* exit thread */ NULL, /* exit process */ NULL, /* exit master */ NGX_MODULE_V1_PADDING }; static ngx_int_t ngx_http_hash_access_handler(ngx_http_request_t *r) { ngx_str_t val, hash; ngx_md5_t md5; ngx_http_hash_access_loc_conf_t *hlcf; u_char buf[18], md5_buf[16]; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http hash access handler"); hlcf = ngx_http_get_module_loc_conf(r, ngx_http_hash_access_module); if (hlcf->hash == NULL) { return NGX_DECLINED; } /* get user hash value in base64 */ if (ngx_http_complex_value(r, hlcf->hash, &val) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } if (val.len > 24) { return NGX_HTTP_FORBIDDEN; } /* decode user hash value */ hash.data = buf; if (ngx_decode_base64url(&hash, &val) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } if (hash.len != 16) { return NGX_HTTP_FORBIDDEN; } /* compute server hash value */ ngx_md5_init(&md5); ngx_md5_update(&md5, r->uri.data, r->uri.len); ngx_md5_update(&md5, hlcf->secret.data, hlcf->secret.len); ngx_md5_final(md5_buf, &md5); /* compare hashes */ if (ngx_memcmp(buf, md5_buf, 16) != 0) { return NGX_HTTP_FORBIDDEN; } return NGX_OK; } static void * ngx_http_hash_access_create_loc_conf(ngx_conf_t *cf) { ngx_http_hash_access_loc_conf_t *conf; conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_hash_access_loc_conf_t)); if (conf == NULL) { return NULL; } /* * set by ngx_pcalloc(): * * conf->hash = NULL; * conf->secret = { 0, NULL }; */ return conf; } static char * ngx_http_hash_access_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) { ngx_http_hash_access_loc_conf_t *prev = parent; ngx_http_hash_access_loc_conf_t *conf = child; ngx_conf_merge_ptr_value(conf->hash, prev->hash, NULL); ngx_conf_merge_str_value(conf->secret, prev->secret, ""); return NGX_CONF_OK; } static ngx_int_t ngx_http_hash_access_init(ngx_conf_t *cf) { ngx_http_handler_pt *h; ngx_http_core_main_conf_t *cmcf; cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); if (h == NULL) { return NGX_ERROR; } *h = ngx_http_hash_access_handler; return NGX_OK; }