-
-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathnginx.conf
106 lines (89 loc) · 4.52 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
##Make sure you change the secret key to something private / secure and keep it matching for the locations that require it to be identical
##You can move the Lua code to what ever location output you want to use it in for your HTML output
##This example the root location
location / {
##location ~ \.php$ { ##Could apply for PHP outputs only
# Start Lua replace file format Links
set $questionmark ""; #Declare our empty var
body_filter_by_lua_block {
local secret = " enigma" --Signature secret key MAKE SURE THIS IS THE SAME AS WHAT YOU SET ON YOUR FILE
local remote_addr = ngx.var.remote_addr --Users IP address
local timestamp = ngx.time() + 18000 --Expires time on url generated +5hour unix time seconds
local fileformats = { --File formats table that we want regex to match and create secure links for
"mp4",
"mp3",
"m4v",
"ogg",
"webm",
"flv",
"avi",
--"gif", --Nulled out to show how easy it is to add and remove file formats for secure links
--"css",
--"jpg",
--"jpeg",
--"html",
--"php",
}
local strings_to_replace = { --strings to match and replace contents
"src=", --HTML src
"href=", --HTML href
}
local function calculate_signature(str)
return ngx.encode_base64(ngx.hmac_sha1(secret, ngx.md5(str)))
:gsub("[+/=]", {["+"] = "-", ["/"] = "_", ["="] = ""}) --Replace + with - and replace / with _ and remove =
end
local body = ngx.arg[1] --Put body into local var
for key, val in pairs(fileformats) do --For each file format in our table
for string, value in pairs(strings_to_replace) do --For each string format in our table
for everymatch, whatwasmatched in ngx.re.gmatch(body, "" .. value .. "\"(?<stringreplace2>.*?)\\." .. val .. "\"") do
local stringreplace1 = ngx.re.match(body, "" .. value .. "\"(?<stringreplace2>.*?)\\." .. val .. "\"") --Search through body to see if any matching strings are found
if stringreplace1 then --If match found in body then replace url
ngx.var.questionmark = "?md5=" .. calculate_signature(timestamp .. stringreplace1["stringreplace2"] .. "." .. val .. "" .. remote_addr .. secret .. "") .. "&expires=" .. timestamp .. ""
body = ngx.re.gsub(body, "" .. value .. "\"" .. stringreplace1["stringreplace2"] .. "\\." .. val .. "\"", "" .. value .. "\"" .. stringreplace1["stringreplace2"] .. "." .. val .. "" .. ngx.var.questionmark .. "\"")
ngx.arg[1] = body
end
end
end
end
}
#If body contents has been modified then remove content length header
header_filter_by_lua_block {
if ngx.var.questionmark then --If this var is no longer empty we know body contents have been modified so remove content-length header
ngx.header.content_length = nil
end
}
# End Lua replace file format Links
}
##End Generating HTML secure link outputs
#Allow our files to be served only by our secure links and stop theives stealing our bandwidth and/or using proxy_set_header to pretend our files are hosted by them.
##You may change / create as many file format paths and locations you want to be served under a secure link only as you wish.
## File format example
location ~* \.(avi|m4v|mov|divx|webm|ogg|mp3|mpeg|mpg|zip|rar|swf)$ {
##location ~ \.mp4$ { ##Could apply for single file outputs only
# Start Lua stop unathorized access / stealing or hotlinking
access_by_lua_block {
local secret = " enigma" --Signature secret key MAKE SURE THIS IS THE SAME AS WHAT YOU SET ON YOUR location that provides html output
local remote_addr = ngx.var.remote_addr --Users IP address
local currenttime = ngx.time() --Current time on server
local function calculate_signature(str)
return ngx.encode_base64(ngx.hmac_sha1(secret, ngx.md5(str)))
:gsub("[+/=]", {["+"] = "-", ["/"] = "_", ["="] = ""}) --Replace + with - and replace / with _ and remove =
end
local uri = ngx.var.uri
local arg_md5 = ngx.var.arg_md5
local arg_expires = ngx.var.arg_expires
if uri and arg_md5 and arg_expires and tonumber(arg_expires) ~= nil then --If url contains everything what is required
if tonumber(arg_expires) >= currenttime then --If time stamp not less than current time
local output = calculate_signature(arg_expires .. uri .. remote_addr .. secret) --Calculate the signature with our secret key and the details the user provided
if arg_md5 ~= output then --If the signature the user provided matches with the one we just generated
ngx.exit(ngx.HTTP_FORBIDDEN)
end
else
ngx.exit(ngx.HTTP_FORBIDDEN)
end
else
ngx.exit(ngx.HTTP_FORBIDDEN)
end
}
# End Lua unathorized access to file
}