nginx配置,配合lua编程实现
-- has been sorted in alphabetical orderlocal signed_subresources = {
'acl',
'append',
'bucketInfo',
'cname',
'commitTransition',
'comp',
'cors',
'delete',
'lifecycle',
'location',
'logging',
'mime',
'notification',
'objectInfo',
'objectMeta',
'partData',
'partInfo',
'partNumber',
'policy',
'position',
'referer',
'replication',
'replicationLocation',
'replicationProgress',
'requestPayment',
'response-cache-control',
'response-content-disposition',
'response-content-encoding',
'response-content-language',
'response-content-type',
'response-expires',
'restore',
'security-token',
'tagging',
'torrent',
'uploadId',
'uploads',
'versionId',
'versioning',
'versions',
'website'
}
function string.startswith(s, start)
return string.sub(s, 1, string.len(start)) == start
end
local function get_canon_sub_resource()
local args = ngx.req.get_uri_args()
-- lower keys
local keys = {}
for k, v in pairs(args) do
keys = v
end
-- make resource string
local s = ''
local sep = '?'
for i, k in ipairs(signed_subresources) do
v = keys
if v then
-- sub table
v = type(v) == 'table' and v or v
s = s .. string.format("%s%s=%s", sep, k, v)
sep = '&'
end
end
return s
end
local function get_canon_resource()
resource = ''
object = ngx.unescape_uri(ngx.var.uri)
sub = get_canon_sub_resource()
return string.format("/%s%s%s", ngx.var.oss_bucket, object, sub)
end
local function get_canon_headers()
-- default: <lowerkey, value>
local headers = ngx.req.get_headers()
local keys = {}
for k, v in pairs(headers) do
if string.startswith(k, 'x-oss-') then
-- client must assemble the same header keys
if type(v) ~= 'string' then return nil end
table.insert(keys, k)
end
end
-- sorted in alphabetical order
table.sort(keys)
for i, key in ipairs(keys) do
keys = key .. ':' .. headers .. '\n'
end
return table.concat(keys)
end
local function calc_sign(key, method, md5, type_, date, oss_headers, resource)
local sign_str = string.format('%s\n%s\n%s\n%s\n%s%s',
method, md5, type_,
date, oss_headers, resource)
ngx.log(ngx.ERR, "SignStr:", sign_str, "\n")
ngx.log(ngx.ERR, "key:", key, "\n")
ngx.log(ngx.ERR, "sign_str:", sign_str, "\n")
local sign_result = ngx.encode_base64(ngx.hmac_sha1(key, sign_str))
return sign_result, sign_str
end
local function oss_auth()
local method = ngx.req.get_method()
local content_md5 = ngx.var.http_content_md5 or ''
local content_type = ngx.var.http_content_type or ''
local date = ngx.var.http_x_oss_date or ngx.var.http_date or ''
if date == '' then
date = ngx.http_time(ngx.time())
ngx.req.set_header('Date', date)
end
local resource = get_canon_resource()
local canon_headers = get_canon_headers()
local sign_result, sign_str = calc_sign(ngx.var.oss_auth_key, method, content_md5,content_type, date, canon_headers, resource)
local auth = string.format("OSS %s:%s", ngx.var.oss_auth_id, sign_result)
local isfile = ngx.var.isfile;
if isfile=="1" then
--刘小草添加开始
--验证authon,防止乱下载开始--
--通过时间戳,保证失效时间开始
local times=tonumber(ngx.var['arg_times']);
local cur_timestamp = os.time()
local one_minute_timestamp = 60
local cur_valid_timestamp =times+one_minute_timestamp*5
local flag="2"
local tochenkey="liuxiaocao"
local tocken=ngx.var['arg_tocken']
local fileuserid=ngx.var['fileuserid']
local filetime=ngx.var['filetime']
local newTocken= ngx.md5(filetime..fileuserid..times..tochenkey);
if (cur_timestamp>cur_valid_timestamp) then --已经过期
flag="0"
end
--通过时间戳,保证失效时间结束
--验证tochen有效性开始
if flag=="2" then
if (tocken~=newTocken) then
flag="1"
end
end
--验证tochen有效性结束
--验证authon,防止乱下载结束--
if flag=="2" then
local usragent=ngx.var.http_user_agent
local filename1 =nil;
filename1 = ngx.req.get_uri_args()["n"];
if (string.match(usragent, "Trident")=="Trident") then
filename1 = ngx.escape_uri(filename1);--IE浏览器
--filename1 = "222";
--else
-- filename1="333";
--filename1=ngx.escape_uri(filename1)
end
filename1=string.gsub(filename1," ","_");--将空格替换为下划线,防止firefox传递下载附件出错
attachment = "attachment;filename="..filename1
ngx.header["Content-Disposition"] = attachment
--刘小草添加结束
ngx.req.set_header('Authorization', auth)
lanmu=ngx.var['lanmu']
if (lanmu=="3") then--论坛
ngx.exec("@oss1")
else
ngx.exec("@oss")
end
elseifflag=="1" then
ngx.say("".."filetime:"..filetime..";fileuserid:"..fileuserid..";times:"..times.."zuhe:"..(filetime..fileuserid..times..tochenkey).."newTocken:"..newTocken);
else
ngx.say("您的访问地址有误!"..flag..';cur_timestamp:'..cur_timestamp..";times:"..times);
end
elseif isfile=="2" then
--ngx.say(".imagesshow.")
local filename =nil;
filename = ngx.var.uri;
filename=string.gsub(filename,"//","/");
ngx.req.set_uri(filename,false);
return ngx.exec("@oss2")
else
--ngx.say(".images.")
ngx.req.set_header('Authorization', auth)
ngx.exec("@oss1")
end
end
-- main
res = oss_auth()
if res then
ngx.exit(res)
end
页:
[1]