Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Added user-specified Roboo_secret support (scalable Roboo scenario) -…

… Thanks to Kevin Jackson & Pete Hanlon

Logging improvements - nginx.conf-example logs challenged and verified hosts separately
  • Loading branch information...
commit bcb7d8031eade3be1f6215e2c774362e18327b51 1 parent 8955d30
@yuri-gushin authored
Showing with 28 additions and 6 deletions.
  1. +16 −0 README.txt
  2. +6 −5 Roboo.pm
  3. +6 −1 nginx.conf-example
View
16 README.txt
@@ -56,6 +56,22 @@ The following parameters may be configured to control the module:
"$remote_addr$http_user_agent" ensures a different challenge key is generated for every IP address + User-Agent,
meaning different clients behind a NAT will be challenged and verified with different keys.
+ (Advanced) Roboo_secret - "<RANDOM STRING>"
+ - The secret is used for the challenge key computation and is by default regenerated on every Roboo (Nginx) invocation.
+ - It is possible to specify the secret as part of the configuration - use only when required, as setting this value
+ statically reduces the strength of the challenge key.
+ - Use case - when multiple Roboo servers are being used behind a load-balancer without persistence set up - since each
+ server produces a unique challenge key - the host will need to reauthenticate every time it reaches a different server.
+ Setting this value identically across an array of such Roboo servers will result in the generation of identical keys and
+ eliminate the key mismatch problems.
+ In order for multiple Roboo servers to produce the same challenge key, the following conditions must be met across all
+ servers:
+ - Roboo secret value - use the same long random string as input
+ * Change & synchronize the secret periodically (e.g. with cronjob)
+ - System time & validity window - ensure time is synchronized and the same Roboo_validity_window is configured
+ - Perl environment - ensure the same RANDBITS value was compiled into perl
+ * Verify by running: perl -MConfig -e 'print "$Config{randbits}\n";')
+
Installation
============
View
11 Roboo.pm
@@ -16,7 +16,7 @@
package Roboo;
-our $VERSION = '0.60';
+our $VERSION = '0.65';
use nginx;
use warnings;
@@ -112,7 +112,7 @@ sub init ($) {
# Get master process id
$settings->{internal_masterpid} = getppid();
# Generate/synchronize random secret
- $settings->{internal_secret} = generate_secret();
+ $settings->{internal_secret} = generate_secret($request);
}
}
@@ -121,15 +121,16 @@ sub generate_cookie (@) {
return sha1_hex(@_, get_timeseed());
}
-sub generate_secret () {
+sub generate_secret ($) {
use IPC::SysV qw(IPC_CREAT);
use IPC::SharedMem;
+ my $request = shift;
my $shared = IPC::SharedMem->new(13373, 128, IPC_CREAT | 0600) or die "Cannot interface with shared memory: $_";
$shared->attach;
if ($shared->read(0,128) !~ /^$settings->{internal_masterpid}:/s) {
- my $secret = makerandom_octet(Length => 64, Strength => 1);
+ my $secret = $request->variable('Roboo_secret') ? $request->variable('Roboo_secret') : makerandom_octet(Length => 64, Strength => 1);
$shared->write("$settings->{internal_masterpid}:$secret",0,128);
}
@@ -139,7 +140,7 @@ sub generate_secret () {
return $shared;
}
-sub get_secret ($) {
+sub get_secret () {
$settings->{internal_secret}->read(0,128) =~ /^$settings->{internal_masterpid}:(.{64})/s;
return $1;
View
7 nginx.conf-example
@@ -44,11 +44,14 @@ http {
server_tokens off;
proxy_cache_path /opt/local/share/nginx/cache levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000m;
+
server {
listen 80;
server_name _;
-
+
+ access_log /dev/null;
+
location / {
perl Roboo::handler;
set $Roboo_challenge_modes "SWF,gzip"; # SWF or JS, optionally gzip for encoding ("JS,gzip" or "SWF,gzip")
@@ -65,6 +68,7 @@ http {
if ($Roboo_challenge_modes ~ gzip) {
gzip on;
}
+ access_log /var/log/nginx/challenged.log;
}
location @proxy {
@@ -74,6 +78,7 @@ http {
proxy_cache cache;
proxy_cache_valid 5m;
gzip on;
+ access_log /var/log/nginx/verified.log;
}
}
}
Please sign in to comment.
Something went wrong with that request. Please try again.