From 0fd6f7b560429d14b6b0d4f4244761e227230b65 Mon Sep 17 00:00:00 2001
From: Katharina Przybill <30441792+kathap@users.noreply.github.com>
Date: Mon, 18 May 2026 18:09:13 +0200
Subject: [PATCH 1/2] Add SHA256 HMAC signed URL support to blobstore

Adds /signed/ location blocks to nginx blobstore configuration to support
SHA256 HMAC signed URLs alongside existing MD5 signed URLs (/read/ and /write/).

This enables future migration to storage-cli for WebDAV blobstore clients,
providing consistency with BOSH's existing SHA256 HMAC signing implementation.

Changes:
- Added /signed/ location with secure_link_hmac (SHA256) verification
- Applied to all three server blocks (internal, public, public TLS)
- Supports GET, HEAD, and PUT methods
- Uses existing blobstore.secure_link.secret property

Benefits:
- Stronger cryptographic security (SHA256 HMAC vs MD5)
- Unified signing method across BOSH and CAPI platforms
- Enables removal of blobstore_url_signer service in future
- Zero impact on existing deployments (additive change only)

This is a preparatory change. Legacy /read/ and /write/ endpoints remain
unchanged and fully functional. No configuration changes required.
---
 jobs/blobstore/templates/blobstore.conf.erb | 69 +++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/jobs/blobstore/templates/blobstore.conf.erb b/jobs/blobstore/templates/blobstore.conf.erb
index 4f8b8cc28f..4c72f0d509 100644
--- a/jobs/blobstore/templates/blobstore.conf.erb
+++ b/jobs/blobstore/templates/blobstore.conf.erb
@@ -67,6 +67,29 @@ server {
     proxy_pass http://blob_url_signer;
   }
 
+  # SHA256 HMAC signed URLs (storage-cli compatible)
+  location ~ ^/signed/(?<blob_path>.+)$ {
+    if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
+      return 405;
+    }
+
+    # Enable PUT for uploads
+    dav_methods PUT;
+    create_full_put_path on;
+
+    # SHA256 HMAC signature verification
+    secure_link_hmac $arg_st,$arg_ts,$arg_e;
+    secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
+    secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
+    secure_link_hmac_algorithm sha256;
+
+    if ($secure_link_hmac != "1") {
+      return 403;
+    }
+
+    alias /var/vcap/store/shared/$blob_path;
+  }
+
   # ensure the contents of this location block always match the public server /read/ location block
   location /read/ {
     if ( $request_method !~ ^(GET|HEAD)$ ) {
@@ -125,6 +148,29 @@ server {
   access_log /var/vcap/sys/log/blobstore/public_access.log;
   error_log  /var/vcap/sys/log/blobstore/public_error.log;
 
+  # SHA256 HMAC signed URLs (storage-cli compatible)
+  location ~ ^/signed/(?<blob_path>.+)$ {
+    if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
+      return 405;
+    }
+
+    # Enable PUT for uploads
+    dav_methods PUT;
+    create_full_put_path on;
+
+    # SHA256 HMAC signature verification
+    secure_link_hmac $arg_st,$arg_ts,$arg_e;
+    secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
+    secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
+    secure_link_hmac_algorithm sha256;
+
+    if ($secure_link_hmac != "1") {
+      return 403;
+    }
+
+    alias /var/vcap/store/shared/$blob_path;
+  }
+
   # ensure the contents of this location block always match the internal server /read/ location block
   location /read/ {
     if ( $request_method !~ ^(GET|HEAD)$ ) {
@@ -188,6 +234,29 @@ server {
   access_log /var/vcap/sys/log/blobstore/public_access.log;
   error_log  /var/vcap/sys/log/blobstore/public_error.log;
 
+  # SHA256 HMAC signed URLs (storage-cli compatible)
+  location ~ ^/signed/(?<blob_path>.+)$ {
+    if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
+      return 405;
+    }
+
+    # Enable PUT for uploads
+    dav_methods PUT;
+    create_full_put_path on;
+
+    # SHA256 HMAC signature verification
+    secure_link_hmac $arg_st,$arg_ts,$arg_e;
+    secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
+    secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
+    secure_link_hmac_algorithm sha256;
+
+    if ($secure_link_hmac != "1") {
+      return 403;
+    }
+
+    alias /var/vcap/store/shared/$blob_path;
+  }
+
   # ensure the contents of this location block always match the internal server /read/ location block
   location /read/ {
     if ( $request_method !~ ^(GET|HEAD)$ ) {

From fac125a4bc577069c0157bee635bf3a45041dd1e Mon Sep 17 00:00:00 2001
From: Katharina Przybill <30441792+kathap@users.noreply.github.com>
Date: Thu, 28 May 2026 16:52:41 +0200
Subject: [PATCH 2/2] Add nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz

---
 config/blobs.yml                | 4 ++++
 packages/nginx_webdav/packaging | 7 ++++++-
 packages/nginx_webdav/spec      | 1 +
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/config/blobs.yml b/config/blobs.yml
index 46610a2bfd..3eb1afe791 100644
--- a/config/blobs.yml
+++ b/config/blobs.yml
@@ -86,6 +86,10 @@ nginx/nginx-upload-module-2.3.0.tar.gz:
   size: 40139
   object_id: 2f8f59a7-8e90-4bf5-67d8-1637924ab331
   sha: sha256:c86e318addb9c88d70fdbd58ff1f6ef6f404a93070f6db8017a1f880c97946c4
+nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz:
+  size: 5452
+  object_id: ede41169-975a-4873-5a9e-d2d1aac3e865
+  sha: sha256:0d4a69f39b513a3427f5fb41a7503844e703395ca04517d0a55400e4a3150927
 nginx/pcre-8.45.tar.gz:
   size: 2096552
   object_id: a90f9f20-e23b-4755-59c7-101197325dab
diff --git a/packages/nginx_webdav/packaging b/packages/nginx_webdav/packaging
index 7c575a1aaf..e29506e9fa 100644
--- a/packages/nginx_webdav/packaging
+++ b/packages/nginx_webdav/packaging
@@ -1,4 +1,5 @@
 set -e -x
+# enable secure_link_hmac (SHA256 signed URLs)
 
 echo "Extracting expat..."
 tar xvf expat/expat-2.5.0.tar.bz2
@@ -20,6 +21,9 @@ tar xzvf nginx/nginx-1.28.3.tar.gz
 echo "Extracting webdav extensions"
 tar xzvf nginx/nginx-dav-ext-module-3.0.0.tar.gz
 
+echo "Extracting HMAC secure link module"
+tar xzvf nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz
+
 sed -i 's@"nginx/"@"-/"@g' nginx-1.28.3/src/core/nginx.h
 sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.28.3/src/http/ngx_http_header_filter_module.c
 sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.28.3/src/http/v2/ngx_http_v2_filter_module.c
@@ -35,7 +39,8 @@ pushd nginx-1.28.3
     --with-http_dav_module \
     --with-http_secure_link_module \
     --with-http_ssl_module \
-    --add-module=../nginx-dav-ext-module-3.0.0
+    --add-module=../nginx-dav-ext-module-3.0.0 \
+    --add-module=../ngx_http_hmac_secure_link_module-0.3
 
   make
   make install
diff --git a/packages/nginx_webdav/spec b/packages/nginx_webdav/spec
index a92a3a6850..29e8e5f311 100644
--- a/packages/nginx_webdav/spec
+++ b/packages/nginx_webdav/spec
@@ -5,3 +5,4 @@ files:
   - nginx/nginx-1.28.3.tar.gz
   - nginx/pcre-8.45.tar.gz
   - nginx/nginx-dav-ext-module-3.0.0.tar.gz
+  - nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz