[mirrorbrain-commits] r8236 - /trunk/docs/configuration.rst

From: <poeml_at_mirrorbrain.org>
Date: Sun, 02 Jan 2011 17:00:38 -0000
Author: poeml
Date: Sun Jan  2 18:00:38 2011
New Revision: 8236

URL: http://svn.mirrorbrain.org/viewvc/mirrorbrain?rev=8236&view=rev
add documentation about URL signing


Modified: trunk/docs/configuration.rst
URL: http://svn.mirrorbrain.org/viewvc/mirrorbrain/trunk/docs/configuration.rst?rev=8236&r1=8235&r2=8236&view=diff
--- trunk/docs/configuration.rst (original)
+++ trunk/docs/configuration.rst Sun Jan  2 18:00:38 2011
_at_@ -404,6 +404,76 @@
     MirrorBrainMirrorlistFooter /srv/www/htdocs/mb-footer.html
+.. _configuring_url_signatures:
+Configuring URL signatures
+Signing URLs can be a way to protect content from unauthorized access. How does
+this work?
+The redirector can generate redirection URLs that contain a signature with
+temporary validity. The signature can be checked on the mirror servers to
+restrict access to authenticated clients. This means that authentication and
+authorization of clients can be validated centrally (by the redirector), and
+the content on all mirrors protected. 
+To configure URL signing, the server needs to be configured with a secret key::
+    MirrorBrainRedirectStampKey my_key
+In this example, ``my_key`` is an arbitrary string known only to the server
+administrators (including the mirror servers).
+The directive may be used server-wide, or applied to certain directories.
+It makes sense to combine this with setting up authentication to restrict
+access. When clients access the server *and* are authorized to access the file,
+and the server decides to redirect the request, the result is as demonstrated
+in the following example::
+     # curl -sI
+    HTTP/1.1 302 Found
+    [...]
+    http://ftp.udc.es/OpenOffice/extended/3.2.0rc5/OOo_3.2.0rc5_20100203_LinuxIntel_install_ar.tar.gz?time=1288879347&stamp=e215bb55bbea2c133145330f9e061f5b
+Note the two arguments that are appended to the URL in the Location header.
+The mirrors which receives these requests need to check two things:
+1) Check if the "ticket" is a valid one, by hashing the timestamp and
+   the shared secret -- here in shell code::
+        # echo -n '1288879347 my_key' | md5sum
+       e215bb55bbea2c133145330f9e061f5b  -  
+   That hash is the same as came with the URL, and thus the ticket
+   is valid (or was valid in the past).
+2) Check if the "ticket" is still fresh enough, simply by comparing to
+   current time. Shell example::
+        # echo $(( $(date +'%s') - 1288879347 ))
+       380
+   While I was typing, the ticked became 380 seconds old (because I'm
+   slow :-), which makes it outdated, and the mirror would reject it,
+   based on the policy that it must not be older than e.g. 30 seconds.
+These two checks to be done on the mirrors can easily be destilled in a
+script consisting of only a few lines.
+The fact that MD5 collisions can be found nowadays should be pretty
+irrelevant considering the short-lived-ness of the tickets. That's one
+reason why the mirrors should check for the age. The other reason is
+because it allows using a one-way, non-revertible hash, instead of a
+symmetric encryption which would be less trivial to implement (md5 is
+available anywhere, while symmetric ciphers are not).
 Using mod_mirrorbrain without GeoIP

mirrorbrain-commits mailing list
Archive: http://mirrorbrain.org/archive/mirrorbrain-commits/

Note: To remove yourself from this list, send a mail with the content
to the address mirrorbrain-commits-request_at_mirrorbrain.org
Received on Sun Jan 02 2011 - 17:00:40 GMT

This archive was generated by hypermail 2.3.0 : Mon Feb 20 2012 - 23:47:04 GMT