I'm running a fairly well used CDN system using Nginx and I need to secure my links so that they aren't shared between users.
The current config works perfectly..
# Setup Secure Links
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secret";
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }
However with the internet going ever more mobile and with many users now coming from university campuses etc I'm seeing tons of failed requests, and annoyed end users because the requester's IP has changed between requests.
The requesting IP is almost always in the same range, so for example:
Original Request: 192.168.0.25
File Request: 192.168.0.67
I'd be happy to lock these secure links down to a range, such as
192.168.0.0 - 192.168.0.255
or go even further and make it even bigger
192.168.0.0 - 192.168.255.255
but I can't figure out a way to do this in nginx, or if the secure_link feature even supports this.
If this isn't possible - does anyone have any other ideas on how to secure links that would be less restrictive, but still be reasonably safe? I had a look at using the browser string instead, but many of our users have download managers or use 3rd part desktop clients - so this isn't viable.
I'm very much trying to do this without having to have any dynamic code to check a remote database as this is very high volume and I'd rather not have that dependancy.
I managed to get this working thanks to @Tarun Lalwani for pointing out the maps idea.
# This map breaks down $remote_addr into octets
map $remote_addr $ipv4_first_two_octets {
"~(?<octet1>\d+)\.(?<octet2>\d+)\.(?<octet3>\d+)\.(?<octet4>\d+)" "${octet1}.${octet2}";
default "0.0";
}
location / {
# Setup Secure Links secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$ipv4_first_two_octets secret";
}