Skip to content
/ mod_authz_signedurl Public
forked from sdolier/mod_authz_signedurl

Apache authorisation module for private content using digitally signed urls

License

MIT license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SyberIsle/mod_authz_signedurl

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits

demo

demo

 
 

.deps

.deps

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

mod_authz_signedurl.c

mod_authz_signedurl.c

 
 

modules.mk

modules.mk

 
 

Repository files navigation

mod_authz_signedurl

Apache module for authorizing access to http content using cryptographically signed urls.

Overview

mod_authz_signedurl is inspired by AWS private content and allows you to restrict access to http content by requiring the url to contain a cryptographically signed access policy that describes the restrictions to that resource.

Useful for providing users with a url that restricts the download from their ip address for a set duration of time. For example delivering purchased content or preventing hotlinking.

The access policy, generated by your application for a specific user/request, can restrict access based on:

  • A specific resource url
  • The remote users ip address
  • A expiration time
  • A not valid before time

The policy is cryptographically signed to prevent users creating an unauthorized policy.

Requirements

  • Apache 2.4+
  • OpenSSL

Access Policy

The access policy is described using a JSON document in the following format

{
  "Statement": [{
    "Resource": "<url of restricted resource>",
    "Condition": {
      "DateLessThan": {"Apache:EpochTime": <optional authorization expiration time (UTC)>},
      "DateGreaterThan": {"Apache:EpochTime": <optional authorization validity start time (UTC)>},
      "IpAddress": {"Apache:SourceIp": "<optional remote user's ip address>"}
    }
  }]
}

Cryptographic signature

To prevent an unauthorized user creating a policy, the policy is hashed and signed using sha256 and your private key.

Prior to creating the signature, the policy should have:

  • All new lines removed
  • All spaces removed

The signature should then be url safe base64 encoded.

Signed URL

The url to request the restricted content is in the following format

<protocol>://<resource url>?policy=<url safe base 64 encoded policy>&signature=<url safe base 64 encoded sha256 signature>

URL safe base64 encoding

Base64 encoding will include characters that are not safe for a url. The following characters should be replaced:

Replace these invalid characters With these characters 
  •                            | - (hyphen)

= | _ (underscore) / | ~ (tilde)

Apache Configuration

Enable the module in you httpd configuration.

LoadModule mod_authz_signedurl_module modules/mod_authz_signedurl.so

To enable the module configure a handler in an apache configuration file or a .htaccess file.

For one or more file types:

<IfModule mod_authz_signedurl_module>
  AddHandler signedurl-handler .jpg
  AddHandler signedurl-handler .png
</IfModule>

Or for all requests in a directory

<IfModule mod_authz_signedurl_module>
  SetHandler signedurl-handler
</IfModule>

Module Directives

Set the public key to verify the cryptographic signature

SignedUrlPublicKey "<base 64 encoded public key>"

About

Apache authorisation module for private content using digitally signed urls

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 81.2%
  • PHP 8.9%
  • Makefile 6.8%
  • ApacheConf 3.1%