Skip to content

Add SHA256 HMAC signed URL support to blobstore #650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kathap wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Add SHA256 HMAC signed URL support to blobstore #650

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0fd6f7b
Add SHA256 HMAC signed URL support to blobstore
kathap May 18, 2026
fac125a
Add nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz
kathap May 28, 2026
af9105f
Merge branch 'develop' into add-sha256-hmac-signed-urls
kathap May 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions config/blobs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,10 @@ nginx/nginx-upload-module-2.3.0.tar.gz:
size: 40139
object_id: 2f8f59a7-8e90-4bf5-67d8-1637924ab331
sha: sha256:c86e318addb9c88d70fdbd58ff1f6ef6f404a93070f6db8017a1f880c97946c4
nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz:
size: 5452
object_id: ede41169-975a-4873-5a9e-d2d1aac3e865
sha: sha256:0d4a69f39b513a3427f5fb41a7503844e703395ca04517d0a55400e4a3150927
nginx/pcre-8.45.tar.gz:
size: 2096552
object_id: a90f9f20-e23b-4755-59c7-101197325dab
Expand Down
69 changes: 69 additions & 0 deletions jobs/blobstore/templates/blobstore.conf.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,29 @@ server {
proxy_pass http://blob_url_signer;
}

# SHA256 HMAC signed URLs (storage-cli compatible)
location ~ ^/signed/(?<blob_path>.+)$ {
if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
return 405;
}

# Enable PUT for uploads
dav_methods PUT;
create_full_put_path on;

# SHA256 HMAC signature verification
secure_link_hmac $arg_st,$arg_ts,$arg_e;
secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
secure_link_hmac_algorithm sha256;

if ($secure_link_hmac != "1") {
return 403;
}

alias /var/vcap/store/shared/$blob_path;
}

# ensure the contents of this location block always match the public server /read/ location block
location /read/ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
Expand Down Expand Up @@ -125,6 +148,29 @@ server {
access_log /var/vcap/sys/log/blobstore/public_access.log;
error_log /var/vcap/sys/log/blobstore/public_error.log;

# SHA256 HMAC signed URLs (storage-cli compatible)
location ~ ^/signed/(?<blob_path>.+)$ {
if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
return 405;
}

# Enable PUT for uploads
dav_methods PUT;
create_full_put_path on;

# SHA256 HMAC signature verification
secure_link_hmac $arg_st,$arg_ts,$arg_e;
secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
secure_link_hmac_algorithm sha256;

if ($secure_link_hmac != "1") {
return 403;
}

alias /var/vcap/store/shared/$blob_path;
}

# ensure the contents of this location block always match the internal server /read/ location block
location /read/ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
Expand Down Expand Up @@ -188,6 +234,29 @@ server {
access_log /var/vcap/sys/log/blobstore/public_access.log;
error_log /var/vcap/sys/log/blobstore/public_error.log;

# SHA256 HMAC signed URLs (storage-cli compatible)
location ~ ^/signed/(?<blob_path>.+)$ {
if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
return 405;
}

# Enable PUT for uploads
dav_methods PUT;
create_full_put_path on;

# SHA256 HMAC signature verification
secure_link_hmac $arg_st,$arg_ts,$arg_e;
secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
secure_link_hmac_algorithm sha256;

if ($secure_link_hmac != "1") {
return 403;
}

alias /var/vcap/store/shared/$blob_path;
}

# ensure the contents of this location block always match the internal server /read/ location block
location /read/ {
if ( $request_method !~ ^(GET|HEAD)$ ) {
Expand Down
7 changes: 6 additions & 1 deletion packages/nginx_webdav/packaging
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
set -e -x
# enable secure_link_hmac (SHA256 signed URLs)

echo "Extracting expat..."
tar xvf expat/expat-2.5.0.tar.bz2
Expand All @@ -20,6 +21,9 @@ tar xzvf nginx/nginx-1.30.2.tar.gz
echo "Extracting webdav extensions"
tar xzvf nginx/nginx-dav-ext-module-3.0.0.tar.gz

echo "Extracting HMAC secure link module"
tar xzvf nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz

sed -i 's@"nginx/"@"-/"@g' nginx-1.30.2/src/core/nginx.h
sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.30.2/src/http/ngx_http_header_filter_module.c
sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.30.2/src/http/v2/ngx_http_v2_filter_module.c
Expand All @@ -35,7 +39,8 @@ pushd nginx-1.30.2
--with-http_dav_module \
--with-http_secure_link_module \
--with-http_ssl_module \
--add-module=../nginx-dav-ext-module-3.0.0
--add-module=../nginx-dav-ext-module-3.0.0 \
--add-module=../ngx_http_hmac_secure_link_module-0.3

make
make install
Expand Down
1 change: 1 addition & 0 deletions packages/nginx_webdav/spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ files:
- nginx/nginx-1.30.2.tar.gz
- nginx/pcre-8.45.tar.gz
- nginx/nginx-dav-ext-module-3.0.0.tar.gz
- nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz