awesome-nginx icon indicating copy to clipboard operation
awesome-nginx copied to clipboard
verified publisher icon agile6v

nginx-hmac-secure-link

Open nexusofdoom opened this issue 7 years ago • 30 comments

revers proxy nginx with nginx-hmac-secure-link can this be done? https://github.com/nexusofdoom/lancache-installer/issues/20

nexusofdoom avatar Sep 18 '18 10:09 nexusofdoom

Hi @nexusofdoom

Sorry. I don't understand your question. Please explain in detail.

Thanks.

agile6v avatar Sep 19 '18 13:09 agile6v

caching nginx box setup like so.. online host uses Prerequisites for Token Authentication from akimia it addess this to the request acl=/*~hmac=6a10b3f602ffde88c02cd1b89665bfdfdc0fc84c3cf7049752931ad732654fab

the client points to my nginx caching box and ask to get the file but it never gets a hit on the key.

is there a way to rewrite the new token to the end of the request ? or something more I can do?

this is the url it requests "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab?begin=1238753107&end=1247683342&hdnts=st=1537229206exp=1537230106acl=/live001/game/download/!/live001/game/patch/~hmac=c2d249db5aff5d6940e03447517ba12b41fdb9aa204cd3c762a9265f445beade"

and below is what the key shows that it miss /live001/game/download/131/BlackDesertOnline885.bcab

nexusofdoom avatar Sep 19 '18 13:09 nexusofdoom

Hello

What is the response code for this request?

"akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab?begin=1238753107&end=1247683342&hdnts=st=1537229206exp=1537230106acl=/live001/game/download/!/live001/game/patch/~hmac=c2d249db5aff5d6940e03447517ba12b41fdb9aa204cd3c762a9265f445beade"

agile6v avatar Sep 19 '18 14:09 agile6v

where do you want me to get the response code ? I have httpry installed along with I can look at the nginx log or do you want me to run wireshark on the client pc?

nexusofdoom avatar Sep 19 '18 14:09 nexusofdoom

note in httpry its code 200

nexusofdoom avatar Sep 19 '18 14:09 nexusofdoom

You can get it using curl. I want to determine if the request is returned 200.

agile6v avatar Sep 19 '18 14:09 agile6v

Ok will do when I get back from work tonight. thanks.

nexusofdoom avatar Sep 19 '18 14:09 nexusofdoom

Sorry, I can only judge by my experience. I think you should request the origin website, check if the response is allowed caching. And also send me a copy.

agile6v avatar Sep 19 '18 15:09 agile6v

direct test talking to there server curl "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab?begin=1238753107&end=1247683342&hdnts=st=1537229206~exp=1537230106~acl=/live001/game/download/!/live001/game/patch/~hmac= c2d249db5aff5d6940e03447517ba12b41fdb9aa204cd3c762a9265f445beade" curl : An error occurred while processing your request. Reference #199.5ef00a17.1537399717.1bba468b At line:1 char:1

  • curl "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/ ...
  •   + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

nexusofdoom avatar Sep 19 '18 23:09 nexusofdoom

if I use lancache I get this, note it saves files to the cache and the client gets the file but the next time it downloads the acl= changes and it comes back as a miss in nginx and it re-downloads the file all over again.

curl "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab?begin=1238753107&end=1247683342&hdnts=st=1537229206~exp=1537230106~acl=/live001/game/download/!/live001/game/patch/~hmac= c2d249db5aff5d6940e03447517ba12b41fdb9aa204cd3c762a9265f445beade"

StatusCode : 200 StatusDescription : OK Content : œ–À(Y Ð Ü·0 4 À" 3 „òR ô7 x/  “aq lg @ç }y ´ÞLÏ ¬N P N º@Ô üO P N ùšm6 LQ pC 0‹ 3ë+© ¼” ˜= x‰ ¨AŸß TÒ €C ... RawContent : HTTP/1.1 200 OK Connection: keep-alive X-Upstream-Cache-Status: HIT Accept-Ranges: bytes Content-Length: 8930236 Content-Type: text/plain Date: Wed, 19 Sep 2018 23:25:32 GMT ETag: "5518bf566eb7... Forms : {} Headers : {[Connection, keep-alive], [X-Upstream-Cache-Status, HIT], [Accept-Ranges, bytes], [Content-Length, 8930236]...} Images : {} InputFields : {} Links : {} ParsedHtml : mshtml.HTMLDocumentClass RawContentLength : 8930236

nexusofdoom avatar Sep 19 '18 23:09 nexusofdoom

Hello

I noticed $request_url is used as key in your nginx conf. $request_uri : full original request URI (with arguments)

agile6v avatar Sep 20 '18 01:09 agile6v

this is the testing config I am playing with. /etc/nginx/vhosts-enabled/lancache-pearlabyss.conf

server { listen lancache-pearlabyss deferred default; server_name pearlabyss _; # DNS entries: lancache- access_log /srv/lancache/logs/Access/pearlabyss.log main buffer=128k flush=1m; access_log /srv/lancache/logs/Keys/pearlabyss.log keys_uri buffer=128k flush=1m; error_log /srv/lancache/logs/Errors/pearlabyss.log;

# Default Node
include lancache/resolver;
#include lancache/cache-key-range;
    location / {
            set $no_cache 0;
            if ($request_uri ~* "(/live001/game/config/config.patch.version)") {
            set $no_cache 1;
            }
            proxy_no_cache $no_cache;
            proxy_cache_bypass $no_cache;
            proxy_bind 10.0.4.20;
            proxy_ignore_headers Expires Cache-Control;
            #proxy_set_header Range $http_range;
            #proxy_set_header If-Range $http_if_range;
            #proxy_cache_key "$server_name$uri";
            #proxy_cache_key "$scheme$request_method$host$uri$is_args$args";
            #proxy_cache_key "$uri$is_args$args$slice_range";
            #proxy_set_header X-Real-IP $remote_addr;
            #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            #proxy_cache_valid 200  206 320d;
            #proxy_cache_key $scheme$host$proxy_host$request_uri;
            #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            #proxy_set_header Host $host;
            #proxy_set_header X-Forwarded-Proto $scheme;
            proxy_read_timeout 150;
            # Use Origin cache
            proxy_cache pearlabyss;
            include lancache/proxy-cache;
            #include lancache/cache-range;
            include lancache/cache-key-default;
    }

}

nexusofdoom avatar Sep 20 '18 01:09 nexusofdoom

Your should use $uri instead of $request_uri as proxy_cache_key.

agile6v avatar Sep 20 '18 01:09 agile6v

so change this include lancache/cache-key-default; } }

to

        include lancache/cache-key-uri;
}

}

nexusofdoom avatar Sep 20 '18 01:09 nexusofdoom

I did this

server { listen lancache-pearlabyss deferred default; server_name pearlabyss _; # DNS entries: lancache- access_log /srv/lancache/logs/Access/pearlabyss.log main buffer=128k flush=1m; access_log /srv/lancache/logs/Keys/pearlabyss.log keys_uri buffer=128k flush=1m; error_log /srv/lancache/logs/Errors/pearlabyss.log;

# Default Node
include lancache/resolver;
#include lancache/cache-key-range;
    location / {
            set $no_cache 0;
            if ($request_uri ~* "(/live001/game/config/config.patch.version)") {
            set $no_cache 1;
            }
            proxy_no_cache $no_cache;
            proxy_cache_bypass $no_cache;
            proxy_bind 10.0.4.20;
            proxy_ignore_headers Expires Cache-Control;
            #proxy_set_header Range $http_range;
            #proxy_set_header If-Range $http_if_range;
            proxy_cache_key "$uri";

nexusofdoom avatar Sep 20 '18 01:09 nexusofdoom

once i did that this is the error I get in the client image

nexusofdoom avatar Sep 20 '18 02:09 nexusofdoom

httpry on the nginx server 2018-09-19 21:02:01 10.0.4.45 10.0.4.39 > GET akamai-gamecdn.blackdesertonline.com /live001/game/download/132/BlackDesertOnline891.bcab?begin=0&end=12&hdnts=st=1537408917~exp=1537409817~acl=/live001/game/download/!/live001/game/patch/~hmac=a1280702ad1721200608c2af28d41b3156e7c46208f4dc5c43f627e6cd5b773b HTTP/1.1 - - 2018-09-19 21:02:01 10.0.4.39 10.0.4.45 < - - - HTTP/1.1 200 OK 2018-09-19 21:02:01 10.0.4.45 10.0.4.39 > GET akamai-gamecdn.blackdesertonline.com /live001/game/download/132/BlackDesertOnline891.bcab?begin=13&end=359540&hdnts=st=1537408917~exp=1537409817~acl=/live001/game/download/!/live001/game/patch/~hmac=a1280702ad1721200608c2af28d41b3156e7c46208f4dc5c43f627e6cd5b773b HTTP/1.1 - - 2018-09-19 21:02:01 10.0.4.39 10.0.4.45 < - - - HTTP/1.1 200 OK 2

nexusofdoom avatar Sep 20 '18 02:09 nexusofdoom

if i change the hmac= from 773b to 733a i get this message in chrome An error occurred while processing your request. Reference #199.5ef00a17.1537409068.1bff07c8

nexusofdoom avatar Sep 20 '18 02:09 nexusofdoom

curl "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab" curl : An error occurred while processing your request. Reference #199.3cb2ef50.1537409184.76a1387 At line:1 char:1

  • curl "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/ ...
  •   + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
 eption
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

nexusofdoom avatar Sep 20 '18 02:09 nexusofdoom

curl -v "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab"

It will return 403. It means that the certification did not pass.

agile6v avatar Sep 20 '18 02:09 agile6v

I think you should be aware of what kind of request your application make to the nginx proxy, including the headers of each request. Then manually curl these request.

agile6v avatar Sep 20 '18 02:09 agile6v

curl -v "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab?beg in=1238753107&end=1247683342&hdnts=st=1537229206~exp=1537230106~acl=/live001/game/download/!/live001/game/patch/~hmac= b99eb03688087d7664b1e5cb69a56c57345dd928a4695dd18257486c2c94cd94" VERBOSE: GET http://akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab?begin=1238753107&end=12 47683342&hdnts=st=1537229206~exp=1537230106~acl=/live001/game/download/!/live001/game/patch/~hmac=b99eb03688087d7664b 1e5cb69a56c57345dd928a4695dd18257486c2c94cd94 with 0-byte payload curl : An error occurred while processing your request. Reference #199.45b2ef50.1537409669.788a8c0 At line:1 char:1

  • curl -v "akamai-gamecdn.blackdesertonline.com/live001/game/download/1 ...
  •   + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
 eption
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

nexusofdoom avatar Sep 20 '18 02:09 nexusofdoom

should I be running wireshark when the application start the request on the client pc?

nexusofdoom avatar Sep 20 '18 02:09 nexusofdoom

Yes. The tool you are good at can easily analyze the problem.

agile6v avatar Sep 20 '18 02:09 agile6v

I am getting this now says hit but its not pulling the 8mb file

wget "akamai-gamecdn.blackdesertonline.com/live001/game/download/131/BlackDesertOnline885.bcab?begin= 1238753107&end=1247683342&hdnts=st=1537229206~exp=1537230106~acl=/live001/game/download/*!/live001/game/patch/"

StatusCode : 200 StatusDescription : OK Content : bdoc/| ÐUFK RawContent : HTTP/1.1 200 OK Connection: keep-alive X-N: S X-Upstream-Cache-Status: HIT Accept-Ranges: bytes Content-Length: 13 Content-Type: text/plain Date: Thu, 20 Sep 2018 02:30:17 GMT ETag: "5518bf566... Forms : {} Headers : {[Connection, keep-alive], [X-N, S], [X-Upstream-Cache-Status, HIT], [Accept-Ranges, bytes]...} Images : {} InputFields : {} Links : {} ParsedHtml : mshtml.HTMLDocumentClass RawContentLength : 13

nexusofdoom avatar Sep 20 '18 02:09 nexusofdoom

The cached content is incorrect. Delete it and request it again.

agile6v avatar Sep 20 '18 02:09 agile6v

still no go after deleting cache i see it trying to fill the cache and this is one of the files in cache directory

^E^@^@^@^@^@^@^@��^Y^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Q^D�[^@^@^@^@�^K�[^@^@^@^@�ì�^@^@�^A�^B-"a95d9304b94861f6c3a8367fe93eac54:1537344593"^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@$ KEY: pearlabyss/live001/game/download/132/BlackDesertOnline891.bcab HTTP/1.0 200 OK Server: Apache Accept-Ranges: bytes Content-Type: text/plain Last-Modified: Wed, 19 Sep 2018 08:09:53 GMT ETag: "a95d9304b94861f6c3a8367fe93eac54:1537344593" Date: Thu, 20 Sep 2018 02:53:08 GMT Content-Length: 13 Connection: close X-N: S

bdoc^Ah|^E^@�2)?

nexusofdoom avatar Sep 20 '18 02:09 nexusofdoom

[19/Sep/2018:22:12:08 -0500] - REQUEST="pearlabyss/live001/game/download/132/BlackDesertOnline891.bcab?begin=109683834&end=109684249&hdnts=st=1537413088~exp=1537413988~acl=/live001/game/download/!/live001/game/patch/~hmac=a7abcd104bb93d2c54e918247c87f0abf8cd69866751f1a8ec35308834897906" - KEY="pearlabyss/live001/game/download/132/BlackDesertOnline891.bcab" - CACHE="MISS"

nexusofdoom avatar Sep 20 '18 03:09 nexusofdoom

Is this request MISS every time? Has it ever had HIT?

agile6v avatar Sep 20 '18 03:09 agile6v

when I get it to HIT then the client software does not like it maybe a rewrite inside of the config? since this changes every time "*~hmac=a7abcd104bb93d2c54e918247c87f0abf8cd69866751f1a8ec35308834897906"

also when it hit's it only downloads like a 1kb file when the file is 30gb.

nexusofdoom avatar Sep 20 '18 13:09 nexusofdoom