Read more

Self-expiring URLs with Apache

Avatar
Tobias Kraze
May 14, 2019Software engineer at makandra GmbH

When delivering non-public uploaded files (images, documents etc), one has to decide whether and how to do authorization. The usual approaches are:

  • Using send_file with a regular controller. This is secure, but potentially slow, especially for large collections of images.
  • Using unguessable URLs. This is fast (because Apache can deliver assets without going through Rails), but less secure.
Illustration web development

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

  • We build reliable cloud solutions with Infrastructure as code
  • We are experts in security, Linux and databases
  • We support your dev team to perform
Read more

When going with the "unguessable URL" approach, it is possible to somewhat increase security by using expiring URLs. The idea is to encode the expiry date into the URL in such a way that an attacker cannot modify that expiry date.

It turns out this can be done with a vanilla Apache installation in a relatively secure fashion. We encode URLs as

/system/<normal url>?t=<expiry date>&s=<signature>

Apache config

In the apache vhost, add the following Location (assuming we want to secure all of /public/system):

<Location "/system">
  Define SIGNATURE_SECRET "<the same secret as in the secrets.yml>"
  RewriteEngine On

  # timestamp in the future and correctly signed?
  RewriteCond expr "%{QUERY_STRING} =~ /(^|&)t=(\w+)&s=(\w+)(&|$)/ && $2 > %{TIME} && sha1('${SIGNATURE_SECRET}' . sha1('${SIGNATURE_SECRET}' . '%{REQUEST_URI}?$2')) == tolower($3)"
  # yes, continue
  RewriteRule "" "-" [L]

  # otherwise, forbid
  RewriteRule "" "-" [F]
</Location>

Generate the secret with SecureRandom.hex(32), and also put it as url_signature_secret into your secrets.yml.

Rails helper

To generate an expiring URL, use the following helper:

def sign_public_path(path, expires_at = 2.hours.from_now, allow_fuzzy_expiry: true, secret: Rails.application.secrets.url_signature_secret)
  return unless path
  uri = URI.parse(path)

  if allow_fuzzy_expiry
    expires_at = expires_at.end_of_hour + 1
  end
  timestamp = expires_at.localtime.strftime('%Y%m%d%H%M%S')
  # this is similar to an hmac, but not quite the same, since apache functions do not allow to implement
  # a canonical hmac
  signature = Digest::SHA1.hexdigest(secret.to_s + Digest::SHA1.hexdigest("#{secret}#{CGI.unescape(uri.path)}?#{timestamp}"))

  "#{uri.path}?#{uri.query}&t=#{timestamp}&s=#{signature}"
end

The helper has an option allow_fuzzy_expiry that will by default cause the expiry to round up to the next full hour. This is so URLs do not change with every single request, to allow some minimal browser caching.

A note about security

The correct way to calculate the signature is to use an HMAC. Unfortunately, I don't believe you can calculate a proper HMAC in a regular Apache installation. Instead, we do something that is very similar, but could potentially not be absolutely cryptographically sound. Do not use it for extremely sensitive content.

Posted by Tobias Kraze to makandra dev (2019-05-14 08:55)