NGINX for the Developer
[ 180 ]The secure_link module works by computing the MD5 hash of a link concatenated
with a secret word. If the hash matches that found in the URI, then the $secure_
link variable is set to the portion of the URI after the hash. If there is no match,
then $secure_link is set to the empty string.
One possible scenario is to generate a page of download links using a secret word.
This word is then placed in the NGINX configuration to enable access to these links.
The word and page are replaced periodically to prevent saved links from being
called again at a later time. The following example illustrates this scenario.
We first decide on a secret word supersecret. Then, we generate the MD5 hash of
the links we want to enable:
$ echo -n "alphabet_soup.pdfsupersecret" |md5sum
8082202b04066a49a1ae8da9ec4feba1 -
$ echo -n "time_again.pdfsupersecret" |md5sum
5b77faadb4f5886c2ffb81900a6b3a43 -
Now, we can create the HTML for our links:
<a href="/downloads/8082202b04066a49a1ae8da9ec4feba1/alphabet_soup.
pdf">alphabet soup</a>
<a href="/downloads/5b77faadb4f5886c2ffb81900a6b3a43/time_again.
pdf">time again</a>These will only be valid if we use the same secure_link_secret directive in our
configuration that we used to generate these hashes:
# any access to URIs beginning with /downloads/ will be protected
location /downloads/ {# this is the string we used to generate the hashes above
secure_link_secret supersecret;# deny access with a Forbidden if the hash doesn't match
if ($secure_link = "") {return 403;}try_files /downloads/$secure_link =404;}