Repository files navigation

encrypted-session-nginx-module - encrypt and decrypt nginx variable values

This module is not distributed with the Nginx source. See theinstallation instructions.

• Name
• Status
• Synopsis
• Description
• Directives
  • encrypted_session_key
  • encrypted_session_iv
  • encrypted_session_expires
  • set_encrypt_session
  • set_decrypt_session
• Installation
  • Building as a dynamic module
• Compatibility
• Report Bugs
• Source Repository
• Getting involved
• Author
• Copyright & License
• See Also

This module is production ready.

# key must be of 32 bytes longencrypted_session_key"abcdefghijklmnopqrstuvwxyz123456";# iv must not be longer than 16 bytes#   default: "deadbeefdeadbeef" (w/o quotes)encrypted_session_iv"1234567812345678";# default: 1d (1 day)encrypted_session_expires3600; # in seclocation /encrypt{set$raw'text to encrypted'; # from the ngx_rewrite module    set_encrypt_session$session$raw;    set_encode_base32$session; # from the ngx_set_misc moduleadd_header Set-Cookie'my_login=$session';  # from the ngx_headers module    # your content handler goes here...}location /decrypt{    set_decode_base32$session$cookie_my_login; # from the ngx_set_misc module    set_decrypt_session$raw$session;if($raw =''){        # bad session}    # your content handler goes here...}

This module provides encryption and decryption support fornginx variables based on AES-256 with Mac.

This module is usually used with thengx_set_misc moduleand the standard rewrite module's directives.

This module can be used to implement simple user login and ACL.

Usually, you just decrypt data in nginx level, and pass the unencrypteddata to your FastCGI/HTTP backend, as in

location /blah{    set_decrypt_session$raw_text$encrypted;    # this directive is from the ngx_set_misc module    set_escape_uri$escaped_raw_text$raw_text;fastcgi_param QUERY_STRING"uid=$uid";fastcgi_pass unix:/path/to/my/php/or/python/fastcgi.sock;}

Lua web applications running directly onngx_lua can callthis module's directives directly from within Lua code:

localraw_text=ndk.set_var.set_decrypt_session(encrypted_text)

Back to TOC

Back to TOC

syntax:encrypted_session_key <key>

default:no

context:http, server, server if, location, location if

Sets the key for the cipher (must be 32 bytes long). For example,

encrypted_session_key"abcdefghijklmnopqrstuvwxyz123456";

Back to TOC

syntax:encrypted_session_iv <iv>

default:encrypted_session_iv "deadbeefdeadbeef";

context:http, server, server if, location, location if

Sets the initial vector used for the cipher (must beno longer than 16 bytes).

For example,

encrypted_session_iv"12345678";

Back to TOC

syntax:encrypted_session_expires <time>

default:encrypted_session_expires 1d;

context:http, server, server if, location, location if

Sets expiration time difference (in seconds by default).

For example, consider the following configuration:

encypted_session_expires1d;

When your session is being generated, ngx_encrypted_session will plantan expiration time (1 day in the future in this example) into theencrypted session string, such that when the session is being decryptedlater, the server can pull the expiration time out of the session andcompare it with the server's current system time. No matter how youtransfer and store your session, like using cookies, or URI query arguments,or whatever.

People may confuse this setting with the expiration date of HTTPcookies. This directive simply controls when the session gets expired;it knows nothing about HTTP cookies. Even if the end user interceptedthis session from cookie by himself and uses it later manually, theserver will still reject it when the expiration time gets passed.

Back to TOC

syntax:set_encrypt_session $target <value>

default:no

context:http, server, server if, location, location if

Encrypts the string value specified by thevalue argument and saves the result intothe variable specified by$target.

For example,

set_encrypt_session$res$value;

will encrypts the value in the variable $value into the target variable$res.

Thevalue argument can also be an nginx string value, for example,

set_encrypt_session$res"my value = $value";

The resulting data can later be decrypted via theset_decrypt_session directive.

Back to TOC

syntax:set_decrypt_session $target <value>

default:no

context:http, server, server if, location, location if

Similar toset_encrypt_session, but performs the inverse operation, that is,to decrypt things.

Back to TOC

You're recommended to install this module (as well as the Nginx core and many other goodies) via thengx_openresty bundle. Seethe detailed instructions for downloading and installing ngx_openresty into your system. This is the easiest and most safe way to set things up.

Alternatively, you can install this module manually with the Nginx source:

Grab the nginx source code fromnginx.org, for example,the version 1.13.6 (seenginx compatibility), and then build the source with this module:

wget'http://nginx.org/download/nginx-1.13.6.tar.gz'tar -xzvf nginx-1.13.6.tar.gzcd nginx-1.13.6/Here we assume you would install you nginx under /opt/nginx/../configure --prefix=/opt/nginx \    --with-http_ssl_module \    --add-module=/path/to/encrypted-session-nginx-modulemake -j2make install

Download the latest version of the release tarball of this module fromencrypted-session-nginx-module file list.

Also, this module is included and enabled by default in thengx_openresty bundle.

OpenSSL should not be disabled in your Nginx build.

Back to TOC

Starting from NGINX 1.9.11, you can also compile this module as a dynamic module, by using the--add-dynamic-module=PATH option instead of--add-module=PATH on the./configure command line above. And then you can explicitly load the module in yournginx.conf via theload_moduledirective, for example,

load_module /path/to/modules/ndk_http_module.so;  # assuming NDK is built as a dynamic module tooload_module /path/to/modules/ngx_http_encrypted_session_module.so;

Back to TOC

The following versions of Nginx should work with this module:

• 1.13.x (last tested: 1.13.6)
• 1.12.x
• 1.11.x (last tested: 1.11.2)
• 1.10.x
• 1.9.x (last tested: 1.9.15)
• 1.8.x
• 1.7.x (last tested: 1.7.10)
• 1.6.x
• 1.5.x (last tested: 1.5.12)
• 1.4.x (last tested: 1.4.4)
• 1.2.x (last tested: 1.2.9)
• 1.1.x (last tested: 1.1.5)
• 1.0.x (last tested: 1.0.11)
• 0.9.x (last tested: 0.9.4)
• 0.8.x (last tested: 0.8.54)
• 0.7.x >= 0.7.46 (last tested: 0.7.68)

Earlier versions of Nginx like 0.6.x and 0.5.x willnot work.

If you find that any particular version of Nginx above 0.7.44 does notwork with this module, please consider reporting a bug.

Back to TOC

Although a lot of effort has been put into testing and code tuning,there must be some serious bugs lurking somewhere in this module. Sowhenever you are bitten by any quirks, please don't hesitate to

1. send a bug report or even patches toagentzh@gmail.com,
2. or create a ticket on theissue tracking interfaceprovided by GitHub.

Back to TOC

Available on github atopenresty/encrypted-session-nginx-module.

Back to TOC

You'll be very welcomed to submit patches to the author or just ask fora commit bit to the source repository on GitHub.

Back to TOC

Yichun "agentzh" Zhang (章亦春) <agentzh@gmail.com>

Back to TOC

Copyright (c) 2009-2018, Yichun Zhang (agentzh) <agentzh@gmail.com>, OpenResty Inc.

This module is licensed under the terms of the BSD license.

Redistribution and use in source and binary forms, with or withoutmodification, are permitted provided that the following conditions aremet:

• Redistributions of source code must retain the above copyrightnotice, this list of conditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyrightnotice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "ASIS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITEDTO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHTHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITEDTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Back to TOC

• NDK
• ngx_set_misc module

Back to TOC