httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Bligh <a...@alex.org.uk>
Subject Re: [users@httpd] Secure htaccess in a non-SSL Apache (and withoutDigest...)
Date Fri, 29 Jun 2012 14:08:44 GMT
Daniel,

--On 29 June 2012 14:04:01 +0200 Daniel Merino <daniel.merino@unavarra.es> 
wrote:

> You have talked about perl and mod_perl. I understand that you can
> override htaccess to use a self-made bit of Perl code that process it and
> check the token. Is this right?

You don't need to override htaccess.

Here's a piece of perl found through a random google search to send
a file:
 http://rasterweb.net/raster/code/sendfile.html
You'll need to change the header as appropriate. Drop that in as
a CGI script (there are a million examples of perl CGI howtos).
It would be more efficient if it used sendfile.

All you need to do is modify that perl CGI script to check the
GET parameters. My idea was simply to use parameters for your video
name, the time, the user, and perhaps a random nonce, and also pass
a hash of those. So, CGI document is here:
  http://perldoc.perl.org/CGI.html
and you might want to do something like (completely untested):

    use CGI;
    use Digest::SHA qw(sha256_base64 sha256);

    my $secret = '[perhaps read this from a file]';

    my $video = CGI::url_param('video');
    my $user = CGI::url_param('user');
    my $time = CGI::url_param('time');
    my $nonce = CGI::url_param('nonce');
    my $hash = CGI::url_param('hash');

    # Sanitize all the above with regexps, i.e. check defined, non-empty

    my $checkhash = sha256_base64($video."\n".$user."\n".$time."\n".
                                  $nonce."\n".$secret);
    Send404 unless ($checkhash eq $hash);

    my $checktime = time();

    # Exit unless less than 10 seconds out
    Send404 unless (abs($checktime - $time) < 10);

    ...

    # send the file here


When generating the link, you will have to generate the hash in the same
way, and of course a random nonce value.

So anyone can access your CGI program without any protection. However, they
will have to have an appropriate token (being the hash file) to actually
get the video. This has the advantage that if you want to put your video
file servers on EC2 or whatever, or just multiple servers that aren't your
drupal box, it's trivial to do.

-- 
Alex Bligh

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message