NGINX Modern Apps latest

Contents:

  • Class 1 - Intro to NGINX Plus
  • Class 2 - NGINX Plus CI/CD Lab
  • Class 3 - NGINX Dataplane Scripting
    • Getting Started
    • Hello World [http/hello]
    • Decode URI [http/decode_uri]
    • Extract JWT Payload into NGINX Variable [http/authorization/jwt]
    • Subrequests join [http/join_subrequests]
    • Secure hash [http/authorization/secure_link_hash]
    • File IO [misc/file_io]
    • Complex redirects using njs file map. [http/complex_redirects]
    • Injecting HTTP header using stream proxy [stream/inject_header]
    • Generating JWT token [http/authorization/gen_hs_jwt]
    • Choosing upstream in stream based on the underlying protocol [stream/detect_http]
    • Authorizing requests using auth_request [http/authorization/auth_request]
    • Authorizing requests based on request body content [http/authorization/request_body]
    • Subrequests chaining [http/subrequests_chaining]
    • Authorizing connections using ngx.fetch() as auth_request [stream/auth_request]
    • Modifying or deleting cookies sent by the upstream server [http/response/modify_set_cookie]
    • Converting response body characters to lower case [http/response/to_lower_case]
    • Reading subject alternative from client certificate [http/certs/subject_alternative]
  • Class 4 - Introduction to NGINX Instance Manager
  • Class 5 - Application Security and Observability with NAP
  • Class 6 - NGINX API Management
  • Class 7 - NGINX Kubernetes Ingress Controller, the new Rancher Manager and Rancher Kubernetes Engine 2
  • Class 8 - Mastering NGINX One: Performance Tuning and Security Hardening Best Practices
  • Class 9: Zero Trust at Scale with F5 NGINX
  • Class 10 - NMS API Connectivity Manager
  • Class 11 - F5 NGINX Plus Ingress Controller as an API Gateway for Kubernetes
  • Class 12 - The Path to Understanding Kubernetes and Containers
  • Class 13 - Maximize ROI with F5 NGINX App Protect(NAP) using Observability
  • Class 14 – Operationalize NGINX One Configuration and Enable Self-Service through Templates
  • Class 15 - Introduction to F5 AI Gateway
  • Class 16 - Beyond Models: A Practical Guide to Protecting Your AI-Powered Apps
On this page:
  • Secure hash [http/authorization/secure_link_hash]
    • Code Snippets
NGINX Modern Apps > Class 3 - NGINX Dataplane Scripting Source | Edit on

Version notice:

Secure hash [http/authorization/secure_link_hash]¶

NGINX provides the ngx_http_secure_link_module to protect a web location from simple bots and web crawlers. In this example we will use JavaScript to generate the MD5 hash needed to implement a secure link.

Step 1: Copy and paste the following commands to start your NGINX container with this lab’s files: Notice the SECRET_KEY environment variable

EXAMPLE='http/authorization/secure_link_hash'
docker run --rm --name njs_example -e SECRET_KEY=" mykey" -v $(pwd)/conf/$EXAMPLE.conf:/etc/nginx/nginx.conf:ro -v $(pwd)/njs/:/etc/nginx/njs/:ro -p 80:80 -d nginx

Step 2: Now let’s use curl to test our NGINX server:

curl http://127.0.0.1/secure/r
302

curl http://127.0.0.1/secure/r -L
curl: (47) Maximum (50) redirects followed

curl http://127.0.0.1/secure/r --cookie-jar cookie.txt
302

curl http://127.0.0.1/secure/r --cookie cookie.txt
PASSED

docker stop njs_example

Code Snippets¶

This configuration rejects the first attempt to access the /secure/ location by responding with a 302 redirect back to itself. Notice that along with the redirect a cookie is also set in the user’s web client. The cookie contains an MD5 hash that is generated by our njs code. When the web client tries the request again, the cookie gets passed back to the server which NGINX then verifies to allow access.

nginx.conf¶
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
env SECRET_KEY;

...

http {
  js_path "/etc/nginx/njs/";

  js_import main from http/authorization/secure_link_hash.js;

  js_set $new_foo main.create_secure_link;
  js_set $secret_key key main.secret_key;


  server {
        listen 80;

        ...

        location /secure/ {
            error_page 403 = @login;

            secure_link $cookie_foo;
            secure_link_md5 "$uri$secret_key";

            if ($secure_link = "") {
                    return 403;
            }

            proxy_pass http://localhost:8080;
        }

        location @login {
            add_header Set-Cookie "foo=$new_foo; Max-Age=60";
            return 302 $request_uri;
        }
    }
}

This JavaScript uses the built-in crypto library to create an MD5 hash. Instead of hardcoding the encryption key into this file, we retrieve it from the SECRET_KEY environment variable.

secure_link_hash.js¶
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
function secret_key(r) {
    return process.env.SECRET_KEY;
}

function create_secure_link(r) {
  return require('crypto').createHash('md5')
                          .update(r.uri).update(process.env.SECRET_KEY)
                          .digest('base64url');
}

export default {secret_key, create_secure_link}
Previous Next