Skip to content

Apache authorisation module for private content using digitally signed urls

License

Notifications You must be signed in to change notification settings

sdolier/mod_authz_signedurl

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

mod_authz_signedurl

Apache module for authorizing access to http content using cryptographically signed urls.

Overview

mod_authz_signedurl is inspired by AWS private content and allows you to restrict access to http content by requiring the url to contain a cryptographically signed access policy that describes the restrictions to that resource.

Useful for providing users with a url that restricts the download from their ip address for a set duration of time. For example delivering purchased content or preventing hotlinking.

The access policy, generated by your application for a specific user/request, can restrict access based on:

  • A specific resource url
  • The remote users ip address
  • A expiration time
  • A not valid before time

The policy is cryptographically signed to prevent users creating an unauthorized policy.

Requirements

  • Apache 2.4+
  • OpenSSL

Access Policy

The access policy is described using a JSON document in the following format

{
  "Statement": [{
    "Resource": "<url of restricted resource>",
    "Condition": {
      "DateLessThan": {"Apache:EpochTime": <optional authorization expiration time (UTC)>},
      "DateGreaterThan": {"Apache:EpochTime": <optional authorization validity start time (UTC)>},
      "IpAddress": {"Apache:SourceIp": "<optional remote user's ip address>"}
    }
  }]
}

Cryptographic signature

To prevent an unauthorized user creating a policy, the policy is hashed and signed using sha256 and your private key.

Prior to creating the signature, the policy should have:

  • All new lines removed
  • All spaces removed

The signature should then be url safe base64 encoded.

Signed URL

The url to request the restricted content is in the following format

<protocol>://<resource url>?policy=<url safe base 64 encoded policy>&signature=<url safe base 64 encoded sha256 signature>

URL safe base64 encoding

Base64 encoding will include characters that are not safe for a url. The following characters should be replaced:

Replace these invalid characters With these characters
  •                            | - (hyphen)
    

= | _ (underscore) / | ~ (tilde)

Apache Configuration

Enable the module in you httpd configuration.

LoadModule mod_authz_signedurl_module modules/mod_authz_signedurl.so

To enable the module configure a handler in an apache configuration file or a .htaccess file.

For one or more file types:

<IfModule mod_authz_signedurl_module>
  AddHandler signedurl-handler .jpg
  AddHandler signedurl-handler .png
</IfModule>

Or for all requests in a directory

<IfModule mod_authz_signedurl_module>
  SetHandler signedurl-handler
</IfModule>

Module Directives

Set the public key to verify the cryptographic signature

SignedUrlPublicKey "<base 64 encoded public key>"

About

Apache authorisation module for private content using digitally signed urls

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published