Skip to content

blake/secure-link-filter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

assembly

assembly

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

runtime-config.json

runtime-config.json

 
 

Repository files navigation

Secure Link filter

Secure Link is a WebAssembly (WASM) filter written in AssemblyScript which checks the authenticity of requested links and protects resources from unauthorized access. Authenticity is verified by comparing the checksum value passed in a request with the value computed for the request, using the shared secret.

This filter is experimental / proof-of-concept. It is not meant to be used in production deployments.

It was inspired by nginx's Secure Link module.

Requirements

This filter has been tested with Envoy v1.13. It is possible that the filter is compatible with newer versions, but it is untested.

Installation

The filter can be manually compiled, or installed from WebAssemblyHub.io.

Compiling

Compiling the filter requires npm to be installed.

First, clone this repository.

git clone --single-branch https://github.com/blake/secure-link-filter.git

Next, install the required dependencies.

cd envoy-secure-link-filter
npm install

Then build the filter using npm run.

npm run asbuild

The resultant WASM filter can be found in ./build/optimized.wasm.

WebAssembly Hub

This filter is also available on the WebAssembly Hub.

First, Install the wasme CLI.

Then download the filter using the wasme client.

wasme pull webassemblyhub.io/blake/secure-link:v0.1

Refer to WebAssembly Hub's Deployment Tutorial docs for information on deploying the filter to various target platforms.

Configuration

The filter requires the following parameters in order to function.

  1. Shared Secret
  2. Comma-separated list of URL paths to protect

The configuration is defined in plain text with each parameter separated by the pipe (|) symbol. For example:

<shared secret>|<Protected URL paths>

To configure the filter to use a shared secret of WASM_rocks! and protect the URL paths /downloads/ and /private/, the resultant configuration would appear as follows.

WASM_rocks!|/downloads/,/private/

Test the filter

This section assumes you already have an Envoy proxy running with the filter properly configured.

Lets say, for example, that Envoy is listening on localhost port 8080 and we to access a protected resource of /downloads/videos/wasm-tutorial.mp4. The filter is configured with a shared secret of WASM_rocks!.

Generate the MD5 hash for the URL using the following:

$ echo -n 'videos/wasm-tutorial.mp4WASM_rocks!' | openssl md5 -hex
ab94570897eeba7fa391edc4da08c967

Issue an HTTP HEAD request using curl to test that you have access to the resource.

curl --head localhost:8080/downloads/ab94570897eeba7fa391edc4da08c967/videos/wasm-tutorial.mp4

About

Wasm filter to protect access to URL paths

Topics

assemblyscript envoy-filter envoyproxy wasm-example

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages