openresty/encrypted-session-nginx-module openresty/encrypted-session-nginx-module

  • Stars
    star
    195
  • Rank 192,691 (Top 4 %)
  • Language
    C
  • Created almost 14 years ago
  • Updated 6 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
openresty/encrypted-session-nginx-module
github

openresty

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

encrypt and decrypt nginx variable values

Name

encrypted-session-nginx-module - encrypt and decrypt nginx variable values

This module is not distributed with the Nginx source. See the installation instructions.

Table of Contents

Status

This module is production ready.

Synopsis

# key must be of 32 bytes long
encrypted_session_key "abcdefghijklmnopqrstuvwxyz123456";

# iv must not be longer than 16 bytes
#   default: "deadbeefdeadbeef" (w/o quotes)
encrypted_session_iv "1234567812345678";

# default: 1d (1 day)
encrypted_session_expires 3600; # in sec

location /encrypt {
    set $raw 'text to encrypted'; # from the ngx_rewrite module
    set_encrypt_session $session $raw;
    set_encode_base32 $session; # from the ngx_set_misc module

    add_header Set-Cookie 'my_login=$session';  # from the ngx_headers module

    # your content handler goes here...
}

location /decrypt {
    set_decode_base32 $session $cookie_my_login; # from the ngx_set_misc module
    set_decrypt_session $raw $session;

    if ($raw = '') {
        # bad session
    }

    # your content handler goes here...
}

Description

This module provides encryption and decryption support for nginx variables based on AES-256 with Mac.

This module is usually used with the ngx_set_misc module and the standard rewrite module's directives.

This module can be used to implement simple user login and ACL.

Usually, you just decrypt data in nginx level, and pass the unencrypted data to your FastCGI/HTTP backend, as in

location /blah {
    set_decrypt_session $raw_text $encrypted;

    # this directive is from the ngx_set_misc module
    set_escape_uri $escaped_raw_text $raw_text;

    fastcgi_param QUERY_STRING "uid=$uid";
    fastcgi_pass unix:/path/to/my/php/or/python/fastcgi.sock;
}

Lua web applications running directly on ngx_lua can call this module's directives directly from within Lua code:

local raw_text = ndk.set_var.set_decrypt_session(encrypted_text)

Back to TOC

Directives

Back to TOC

encrypted_session_key

syntax: encrypted_session_key <key>

default: no

context: http, server, server if, location, location if

Sets the key for the cipher (must be 32 bytes long). For example,

encrypted_session_key "abcdefghijklmnopqrstuvwxyz123456";

Back to TOC

encrypted_session_iv

syntax: encrypted_session_iv <iv>

default: encrypted_session_iv "deadbeefdeadbeef";

context: http, server, server if, location, location if

Sets the initial vector used for the cipher (must be no longer than 16 bytes).

For example,

encrypted_session_iv "12345678";

Back to TOC

encrypted_session_expires

syntax: encrypted_session_expires <time>

default: encrypted_session_expires 1d;

context: http, server, server if, location, location if

Sets expiration time difference (in seconds by default).

For example, consider the following configuration:

encypted_session_expires 1d;

When your session is being generated, ngx_encrypted_session will plant an expiration time (1 day in the future in this example) into the encrypted session string, such that when the session is being decrypted later, the server can pull the expiration time out of the session and compare it with the server's current system time. No matter how you transfer and store your session, like using cookies, or URI query arguments, or whatever.

People may confuse this setting with the expiration date of HTTP cookies. This directive simply controls when the session gets expired; it knows nothing about HTTP cookies. Even if the end user intercepted this session from cookie by himself and uses it later manually, the server will still reject it when the expiration time gets passed.

Back to TOC

set_encrypt_session

syntax: set_encrypt_session $target <value>

default: no

context: http, server, server if, location, location if

Encrypts the string value specified by the value argument and saves the result into the variable specified by $target.

For example,

set_encrypt_session $res $value;

will encrypts the value in the variable $value into the target variable $res.

The value argument can also be an nginx string value, for example,

set_encrypt_session $res "my value = $value";

The resulting data can later be decrypted via the set_decrypt_session directive.

Back to TOC

set_decrypt_session

syntax: set_decrypt_session $target <value>

default: no

context: http, server, server if, location, location if

Similar to set_encrypt_session, but performs the inverse operation, that is, to decrypt things.

Back to TOC

Installation

You're recommended to install this module (as well as the Nginx core and many other goodies) via the ngx_openresty bundle. See the detailed instructions for downloading and installing ngx_openresty into your system. This is the easiest and most safe way to set things up.

Alternatively, you can install this module manually with the Nginx source:

Grab the nginx source code from nginx.org, for example, the version 1.13.6 (see nginx compatibility), and then build the source with this module:

wget 'http://nginx.org/download/nginx-1.13.6.tar.gz'
tar -xzvf nginx-1.13.6.tar.gz
cd nginx-1.13.6/

Here we assume you would install you nginx under /opt/nginx/.
./configure --prefix=/opt/nginx \
    --with-http_ssl_module \
    --add-module=/path/to/encrypted-session-nginx-module

make -j2
make install

Download the latest version of the release tarball of this module from encrypted-session-nginx-module file list.

Also, this module is included and enabled by default in the ngx_openresty bundle.

OpenSSL should not be disabled in your Nginx build.

Back to TOC

Building as a dynamic module

Starting from NGINX 1.9.11, you can also compile this module as a dynamic module, by using the --add-dynamic-module=PATH option instead of --add-module=PATH on the ./configure command line above. And then you can explicitly load the module in your nginx.conf via the load_module directive, for example,

load_module /path/to/modules/ndk_http_module.so;  # assuming NDK is built as a dynamic module too
load_module /path/to/modules/ngx_http_encrypted_session_module.so;

Back to TOC

Compatibility

The following versions of Nginx should work with this module:

  • 1.13.x (last tested: 1.13.6)
  • 1.12.x
  • 1.11.x (last tested: 1.11.2)
  • 1.10.x
  • 1.9.x (last tested: 1.9.15)
  • 1.8.x
  • 1.7.x (last tested: 1.7.10)
  • 1.6.x
  • 1.5.x (last tested: 1.5.12)
  • 1.4.x (last tested: 1.4.4)
  • 1.2.x (last tested: 1.2.9)
  • 1.1.x (last tested: 1.1.5)
  • 1.0.x (last tested: 1.0.11)
  • 0.9.x (last tested: 0.9.4)
  • 0.8.x (last tested: 0.8.54)
  • 0.7.x >= 0.7.46 (last tested: 0.7.68)

Earlier versions of Nginx like 0.6.x and 0.5.x will not work.

If you find that any particular version of Nginx above 0.7.44 does not work with this module, please consider reporting a bug.

Back to TOC

Report Bugs

Although a lot of effort has been put into testing and code tuning, there must be some serious bugs lurking somewhere in this module. So whenever you are bitten by any quirks, please don't hesitate to

  1. send a bug report or even patches to [email protected],
  2. or create a ticket on the issue tracking interface provided by GitHub.

Back to TOC

Source Repository

Available on github at openresty/encrypted-session-nginx-module.

Back to TOC

Getting involved

You'll be very welcomed to submit patches to the author or just ask for a commit bit to the source repository on GitHub.

Back to TOC

Author

Yichun "agentzh" Zhang (η« δΊ¦ζ˜₯) <[email protected]>

Back to TOC

Copyright & License

Copyright (c) 2009-2018, Yichun Zhang (agentzh) <[email protected]>, OpenResty Inc.

This module is licensed under the terms of the BSD license.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Back to TOC

See Also

Back to TOC

More Repositories

1

openresty

High Performance Web Platform Based on Nginx and LuaJIT
C
12,021
star
2

lua-nginx-module

Embed the Power of Lua into NGINX HTTP servers
C
11,049
star
3

nginx-tutorials

Nginx Tutorials
Perl
2,851
star
4

lua-resty-redis

Lua redis client driver for the ngx_lua based on the cosocket API
Lua
1,863
star
5

openresty-systemtap-toolkit

Real-time analysis and diagnostics tools for OpenResty (including NGINX, LuaJIT, ngx_lua, and more) based on SystemTap
Perl
1,640
star
6

headers-more-nginx-module

Set, add, and clear arbitrary output headers in NGINX http servers
C
1,592
star
7

openresty.org

Code and data for the openresty.org site
HTML
1,254
star
8

luajit2

OpenResty's Branch of LuaJIT 2
C
1,152
star
9

echo-nginx-module

An Nginx module for bringing the power of "echo", "sleep", "time" and more to Nginx's config file
C
1,139
star
10

docker-openresty

Docker tooling for OpenResty
Dockerfile
915
star
11

redis2-nginx-module

Nginx upstream module for the Redis 2.0 protocol
C
892
star
12

lua-resty-limit-traffic

Lua library for limiting and controlling traffic in OpenResty/ngx_lua
Lua
794
star
13

lua-resty-core

New FFI-based API for lua-nginx-module
Lua
775
star
14

stream-lua-nginx-module

Embed the power of Lua into NGINX TCP/UDP servers
C
709
star
15

lua-resty-mysql

Nonblocking Lua MySQL driver library for ngx_lua or OpenResty
Lua
693
star
16

stapxx

Simple macro language extentions to systemtap
Perl
682
star
17

sregex

A non-backtracking NFA/DFA-based Perl-compatible regex engine matching on large data streams
C
614
star
18

lua-resty-upstream-healthcheck

Health Checker for Nginx Upstream Servers in Pure Lua
Lua
506
star
19

lua-upstream-nginx-module

Nginx C module to expose Lua API to ngx_lua for Nginx upstreams
C
497
star
20

lua-resty-websocket

WebSocket support for the ngx_lua module (and OpenResty)
Lua
492
star
21

srcache-nginx-module

Transparent subrequest-based caching layout for arbitrary nginx locations.
C
469
star
22

opm

OpenResty Package Manager
Lua
454
star
23

lua-resty-lrucache

Lua-land LRU Cache based on LuaJIT FFI
Lua
432
star
24

test-nginx

Data-driven test scaffold for Nginx C module and OpenResty Lua library development
Perl
430
star
25

lua-resty-string

String utilities and common hash functions for ngx_lua and LuaJIT
Lua
423
star
26

lua-resty-upload

Streaming reader and parser for http file uploading based on ngx_lua cosocket
Lua
392
star
27

set-misc-nginx-module

Various set_xxx directives added to nginx's rewrite module (md5/sha1, sql/json quoting, and many more)
C
384
star
28

drizzle-nginx-module

an nginx upstream module that talks to mysql and drizzle by libdrizzle
C
335
star
29

openresty-gdb-utils

GDB Utilities for OpenResty (including Nginx, ngx_lua, LuaJIT, and more)
Python
328
star
30

lua-resty-dns

DNS resolver for the nginx lua module
Lua
319
star
31

lua-resty-balancer

A generic consistent hash implementation for OpenResty/Lua
Lua
319
star
32

programming-openresty

Programming OpenResty Book
Perl
318
star
33

lua-resty-lock

Simple nonblocking lock API for ngx_lua based on shared memory dictionaries
Lua
302
star
34

openresty-devel-utils

Utilities for nginx module development
Perl
263
star
35

resty-cli

Fancy command-line utilities for OpenResty
Perl
262
star
36

replace-filter-nginx-module

Streaming regular expression replacement in response bodies
C
255
star
37

lua-resty-memcached

Lua memcached client driver for the ngx_lua based on the cosocket API
Lua
209
star
38

memc-nginx-module

An extended version of the standard memcached module that supports set, add, delete, and many more memcached commands.
C
208
star
39

openresty-packaging

Official OpenResty packaging source and scripts for various Linux distributions and other systems
Makefile
172
star
40

rds-json-nginx-module

An nginx output filter that formats Resty DBD Streams generated by ngx_drizzle and others to JSON
C
154
star
41

xss-nginx-module

Native support for cross-site scripting (XSS) in an nginx
C
147
star
42

mockeagain

Mocking ideally slow network that only allows reading and/or writing one byte at a time
C
128
star
43

lua-resty-shell

Lua module for nonblocking system shell command executions
Perl
120
star
44

lua-tablepool

Lua table recycling pools for LuaJIT
Perl
110
star
45

lua-redis-parser

Lua module for parsing raw redis responses
C
92
star
46

openresty-survey

OpenResty Web App for OpenResty User Survey
HTML
90
star
47

lua-ssl-nginx-module

NGINX C module that extends ngx_http_lua_module for enhanced SSL/TLS capabilities
Lua
86
star
48

opsboy

A rule-based sysadmin tool that helps setting up complex environment for blank machines
Perl
83
star
49

no-pool-nginx

replace nginx's pool mechanism with plain malloc & free to help tools like valgrind
Shell
77
star
50

stream-echo-nginx-module

TCP/stream echo module for NGINX (a port of ngx_http_echo_module)
C
70
star
51

meta-lua-nginx-module

Meta Lua Nginx Module supporting both Http Lua Module and Stream Lua Module
C
65
star
52

array-var-nginx-module

Add support for array-typed variables to nginx config files
C
64
star
53

lemplate

OpenResty/Lua template framework implementing Perl's TT2 templating language
Perl
53
star
54

openresty-con

JavaScript
46
star
55

nginx-dtrace

An nginx fork that adds dtrace USDT probes
C
44
star
56

lua-resty-memcached-shdict

Powerful memcached client with a shdict caching layer and many other features
Lua
34
star
57

lua-resty-shdict-simple

Simple applicaton-oriented interface to the OpenResty shared dictionary API
Perl
32
star
58

lua-resty-signal

Lua library for killing or sending signals to UNIX processes
Perl
31
star
59

luajit2-test-suite

OpenResty's LuaJIT test suite based on Mike Pall's LuaJIT tests
Lua
29
star
60

ngx_postgres

OpenResty's fork of FRiCKLE/ngx_postgres
C
26
star
61

rds-csv-nginx-module

Nginx output filter module to convert Resty-DBD-Streams (RDS) to Comma-Separated Values (CSV)
C
22
star
62

showman-samples

Sample screenplay files for generating our public video tutorials using OpenResty Showman
20
star
63

lua-rds-parser

Resty DBD Stream (RDS) parser for Lua written in C
C
19
star
64

redis-nginx-module

8
star
65

AB-test-http

test http requests between two systems.
Perl
5
star
66

transparency

2
star