hmac authentication using vcl


#1

I am trying to authenticate URL using hamc. I can do the following to verify.My question is how do I parse the URL to extract only part of the URL excluding the hmac parameter. I tried using local variables in vcl but it threw an error. Any suggestions on how to extract the hmac value and URL query parameters as shown below.

http://localhost/zzz/?q1=xxx&q2=yyy&hmac=hash

if (digest.hmac_md5(“key”, “q1=xxx&q2=yyy”) != “value”)
{
return (synth(401, digest.hmac_md5(“key”, “http://localhost/zzz/?q1=xxx&q2=yyy”)));
}
Thanks


#2

Hi jsp,

I’d suggest testing with querystring.regfilter(<string>, <string>).
Documentation: https://docs.fastly.com/guides/vcl/query-string-manipulation-vcl-features

For example, If you add the following code in your vcl_recv,

set req.url = querystring.regfilter(req.url, "^hmac");

It will extract the hmac query from the URL, so your origin will receive the request as /?q1=xxx&q2=yyy instead.
If you don’t want to manipulate the original URL, you can work around with req.http.* header or local variables to store the hmac value.

Best,
Hiro


#3

Hiro,
Thanks for replying. I tried the following …any thoughts on this

set var.message = subfield(req.url, "x", "?") "&" subfield(req.url, "y", "&");
set var.urlhash = subfield(req.url, "hmac", "&");

jsp


#4

Hello,

You can use req.url.qs instead.
set var.urlhash = subfield(req.url.qs, “hmac”, “&”);

Works.
https://fiddle.fastlydemo.net/fiddle/ee893bc7

I hope this will be helpful.

Junichi