tags:

views:

155

answers:

1
Q: 

Do you know of a NGiNX module that performs something similar to verification of Amazon Web Service request signatures?

I'd like to restrict access to my web service to registered clients. The first thing I thought of was to mimic that of AWS which, in a nutshell, issues clients a non-secret and secret key pair, and requires clients to prove knowledge of the secret key by using a cryptographic function of some of the HTTP request data and the secret key, then specifying the output of the crypto function in a request header. AWS does the same and checks that the expected signature matches what the client has specified. The secret is not transmitted, blah blah. This is pretty typical and not that interesting albeit useful.

http://mws.amazon.com/docs/devGuide/Signatures.html

http://chrisroos.co.uk/blog/2009-01-31-implementing-version-2-of-the-amazon-aws-http-request-signature-in-ruby

My preferred web server for web services is nginx. I'd like to start requiring similar request signatures in certain services. It makes sense to me to create an nginx module that handles request signature validation before ever sending the request to an upstream process (my web service instance(s)).

Do you know of such a nginx module? Do you know of a different one that I can base my work off of?

There's a decent nginx module writing guide here:

http://www.evanmiller.org/nginx-modules-guide.html

Please note that I'm not asking "how do I write a nginx module?" I'm simply trying to avoid reinventing the wheel.

Thanks!

A: 

If I'm understanding correctly, you could simply check for custom headers with an if($http_{yourheader}){} and validate that against a backend such as memcached, or proxy to a fastcgi script, or even use an embedded perl script (although this will be slow and could block).

AFAIK there aren't any specific standard or third-party modules that do this, but a combination of them could provide a suitable solution (eg; $http_{header} + redis backend, for instance).

Is there a particular reason you're not looking to use custom SSL certs? They would seem an adequate solution for restricting access with added security.

digitala  2010-02-23 09:20:56
Part of the request signature calculation is time-dependent information so that traffic replay attacks are thwarted. Thus, simply checking the backend cache-like datastore won't work unless I generate the keys for all clients every second or somesuch.Client certificates aren't needed here. I'm fine with an API key for identifying clients. The request signature is important to avoid traffic replay attacks and as an extra step in avoiding some script kiddy from abusing some client's non-secret API key.
z8000  2010-02-23 20:54:45

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?