-
chevron_right
Nginx GeoIP
pubsub.slavino.sk / warlord0blog · Wednesday, 28 April, 2021 - 17:51 edit
- label
-
chevron_right
Nginx Maintenance Mode
pubsub.slavino.sk / warlord0blog · Friday, 5 February, 2021 - 18:10 edit
-
chevron_right
step-ca and ACME
pubsub.slavino.sk / warlord0blog · Friday, 15 January, 2021 - 12:18 edit
-
chevron_right
Nginx SSL Certificate Error
pubsub.slavino.sk / warlord0blog · Wednesday, 14 October, 2020 - 20:00 edit
-
chevron_right
Keycloak and OpenLDAP
Warlord · pubsub.slavino.sk / warlord0blog · Friday, 24 July, 2020 - 17:39 edit
-
chevron_right
Nginx and LDAP Authentication
Warlord · pubsub.slavino.sk / warlord0blog · Saturday, 11 July, 2020 - 16:26 edit
-
chevron_right
Nginx Configuration Synchronisation
Warlord · pubsub.slavino.sk / warlord0blog · Monday, 25 May, 2020 - 21:31 edit
- the PHP and Go solution is not for me...
- the most close to my experiences goes the Python's solution, but i want to avoid external daemon, especially the Flask one, despite that i have all needed for it installed and used already (uWSGI, Flask, Python3, ...), because i know its performance limits and memory requirements.
- which interested me, is Nginx's Perl module. I consider this as good solution, ecause Debian's Nginx comes with Perl support via dynamic module. I am not very familiar with Perl and this implementation sounds as very simple task...
- here are two nested locations, not really needed, but Nginx search all regex global locations on any request, what can a litle reduce performance, this limits searching this location only for chosen prefix
- nested location uses regular expression capture group, to eliminate prefix form URI, without needing
map
directive nested location doesn't properly handles the missing token, while there is anif
directive for it at start of location, it returns 500 code- nested location properly handles 409 response on existing file and 403 response on bad or missing token by some Nginx's
set
directive magic - while it is basically working, the "HMAC Secure link" module expects Base64URL encoded token, but "Set misc" module can provide only pure Base64 encoding, thus some combinations of the filename and size can be refused
- it requires two external modules, which are not included in standard Debian package, and thus recompilation of Nginx can be required
-
chevron_right
Home encryption and file access for external services on Debian
Timothée Jaussoin · Monday, 13 November, 2017 - 10:18
Značky: #nginx, #Web, #Linux, #certificates
Značky: #certificates, #nginx, #Linux, #Web
Značky: #Linux, #authentication, #nginx, #security, #single-sign-on, #Linux
Pure Nginx external HTTP upload
As i leraned yesterday, the Movim requires HTTP upload servico on XMPP server, which i have not enabled yet. After fast look i found two Prosody's modules, which provides it. Because i don't believe Prosody's HTTP server (eg. not SNI support yet), i focus to its external HTTP upload module, which require external service.
Background
The mod_http_upload_external page describes some external solutions:
I decided to try to utilize the Nginx's built-in DAV module and some external modules, namely HMAC Secure link and (as i learn later) Set misc.
The DAV module itself provides support for PUT requests, nothing special. The "HMAC secure link" module is able to verify HMAC signature, but it cannot handle prosody's HMAC-SHA256 digest directly, because it expects Base64URL encoded HMAC, there is need to encode Prosody's hex string, which allows the "Set Misc" module in two steps, first decode hex string into binary value, and then then encode it as Base64 string.
Nginx location
After some playing i got this location config. Some point about:
location /xmpp {
root /srv;
location ~ /xmpp/(?<fpath>.+)$ {
dav_methods PUT;
create_full_put_path on; # create directory, if needed
dav_access user:rw group:rw all:r; # set permissions
client_max_body_size 100m; # default prosody's body size is 100 MB
# encode $arg_v into Base64URL digest
set $digest $arg_v;
set_if_empty $digest "00";
set_decode_hex $digest;
set_encode_base64 $digest;
# verify $digest
secure_link_hmac $digest;
secure_link_hmac_secret "123456";
secure_link_hmac_algorithm sha256;
secure_link_hmac_message "$fpath $content_length";
# handle missing token
set $missing $request_method$arg_v;
if ($missing = "PUT") {return 403;}
# do not overwrite existing file
if (-e $request_filename) {set $exists $request_method;}
if ($exists = "PUT") {return 409;}
# handle bad HMAC token
if ($request_method = "PUT") {set $verified $request_method$secure_link_hmac;}
if ($verified = "PUT") {return 403;}
}
}
The missing token (and related 500 response) can be solved by solved.set_if_empty
directive, but i didn't play with it.
Testing
I prefer shell testing of HTTP services, because i can do some scripts for it. Here is simple script to generate HMAC token and fire PUT request with it. It is not very intelligent, all things are hardcoded inside variables, but as an inspiration:
kluc="123456"
subor="/tmp/aaa.txt"
velk=$(stat --printf="%s" "$subor")
text="${subor#/tmp/} $velk"
hmac=$(echo -n "$text" | openssl dgst -sha256 -hmac "$kluc" | cut -d" " -f2 )
echo "v=$hmac"
wget -qO- --server-response --body-file="$subor" --method=PUT \
https://bonifac.skk/xmpp/aaa.txt?v=${hmac}
Conclusion
I am sure, that this solution can provide better performance than ĺinked Flask module, but I am not happy with this solution, because i see some problems:
I spent some hours with this (including repackaging Nginx, reading docs, coffee and launch pause, etc), but it was wasted time. Next i will try the linked Perl Nginx's module. If someone know how to solve the Base64URL encoding problem, i will be happy if (s)he will share it.
Little trick (and reminder for me). After using ecryptfs-migrate-home
on my Debian machine to #encrypt my /home
partition I found out that #nginx was not able to access projects that were hosted in this partition.
Thanks to this GitHub Gitst by jhjguxin it seems that the #migration change the rights on the directory to 700 which prevent nginx to access files within it properly.
To fix that you should at least allow read #access.
# chmod 701 /home/user
Et voilà :)