ngx is provided by the nginx Lua machine, and cookies are available using _. INFO, "Throwing 410 because of timestamps." ) throw_error ( ngx. time () > tonumber ( cookie_expire ) then ngx. HTTP_GONE ) end if tonumber ( cookie_expire ) > 0 and ngx. INFO, "Throwing 410 because of a bad hash. cookie_expire ) if testhash ~= cookie_asset_hash then ngx. cookie_expire local cookie_asset_hash = ngx. cookie_user_id local cookie_expire = ngx. HTTP_GONE ) end local cookie_user_id = ngx. INFO, "Throwing 410 because of missing cookies." ) throw_error ( ngx. HTTP_OK ) end local secret = "you secret token here" if ngx. ".html", "rb" ) local content = f : read ( "*all" ) f : close () ngx. Returns an error page function throw_error ( error ) local f = io.open ( "/usr/share/nginx/html/". And we can use this functionality to verify our cookies before serving an asset. But, nicely, it provides you with the ability to implement some things within nginx using Lua. Nginx is a very stripped down HTTP server that is very fast. So, now we have these cookies set on our application server, we need to jump over to our asset server and make some changes. md5 is insecure, but this method should be sufficient to stop all but the most determined adversary who would try to take the hash against a rainbow table. Quick note here, I’m using md5 because it’s fast, but you can use any hashing algorithm you’d like as long as you do it the same in both places. The third piece of information, the secret token, is only known on the servers. So what we’re doing here is setting three cookies: the user_id, the expiration timestamp, and the asset hash, which is an md5 hash of the three pieces of information, only two of which are also set as cookies. Setcookie("asset_hash", asset_hash, expire, "/", "") Setcookie("expire", expire, expire, "/", "") Setcookie("user_id", user_id, expire, "/", "") Var asset_hash = md5(secret_token + user_id + expiration_time) Var expire = time() + 3600 // Expire in 1 hour. Var secret_token = "your secret token here" So you might do something like this (in pseudocode): An example would be three pieces of information:Ī secret token that is shared between both the application server and the asset server. The first thing we need to do is set up a simple algorithm that determines what our bounds are for serving an asset. We can set a some cookies on login, and use nginx and Lua to verify the cookie signature on the other server before serving a static asset. So that gives us another option: cookies. Instead of the assets will be stored under. But, from the browser’s point of view, we will be under the same domain. Secure URLs work great if you have to make a secure requests across different domains. It also requires you to either generate all the URLs at page time, or use redirects. The big one is that it generates a unique URL for each requests, which completely negates any browser caching for subsequent requests. But this is sub-optimal for a few reasons. My first inclination was to use the secure URL functionality in nginx. We need a way to secure those resources across physical servers. The problem is that a lot of these assets (the videos and full-size images) are for paying members only. In this transition, we are going from one or two physical servers to multiple cloud servers and separating out parts to better scale each individual service.Īs part of this, we are moving a significant library of images and videos away from being served off the same web server as the application and to a server tuned to handle requests for these static assets. If eventType ~= hs.’ve been working with one of my clients the last month on migrating his iron- based architecture to a cloud-based provider. In a I have this code: local ctrlTab = hotkey.new(, "tab", nil, function()ĬhromeWatcher = hs.(function(name, eventType, app) To do this I have installed CLUT Chrome browser extension, which currently maps alt-w to switch to the last tab, and installed Hammerspoon, which allows intercepting system keystrokes. I'm feeling determined to get most-recently-used tab switching working for Chrome.
0 Comments
Leave a Reply. |