Secure Link is a WebAssembly (WASM) filter written in AssemblyScript which checks the authenticity of requested links and protects resources from unauthorized access. Authenticity is verified by comparing the checksum value passed in a request with the value computed for the request, using the shared secret.
This filter is experimental / proof-of-concept. It is not meant to be used in production deployments.
It was inspired by nginx's Secure Link module.
- Envoy proxy with WebAssembly support (i.e., envoyproxy/envoy-wasm)
This filter has been tested with Envoy v1.13. It is possible that the filter is compatible with newer versions, but it is untested.
The filter can be manually compiled, or installed from WebAssemblyHub.io.
Compiling the filter requires npm
to be installed.
First, clone this repository.
git clone --single-branch /~https://github.com/blake/secure-link-filter.git
Next, install the required dependencies.
cd envoy-secure-link-filter
npm install
Then build the filter using npm run
.
npm run asbuild
The resultant WASM filter can be found in ./build/optimized.wasm
.
This filter is also available on the WebAssembly Hub.
First, Install the wasme CLI.
Then download the filter using the wasme
client.
wasme pull webassemblyhub.io/blake/secure-link:v0.1
Refer to WebAssembly Hub's Deployment Tutorial docs for information on deploying the filter to various target platforms.
The filter requires the following parameters in order to function.
- Shared Secret
- Comma-separated list of URL paths to protect
The configuration is defined in plain text with each parameter separated by the
pipe (|
) symbol. For example:
<shared secret>|<Protected URL paths>
To configure the filter to use a shared secret of WASM_rocks!
and protect the
URL paths /downloads/
and /private/
, the resultant configuration would
appear as follows.
WASM_rocks!|/downloads/,/private/
This section assumes you already have an Envoy proxy running with the filter properly configured.
Lets say, for example, that Envoy is listening on localhost port 8080 and we to
access a protected resource of /downloads/videos/wasm-tutorial.mp4
. The filter
is configured with a shared secret of WASM_rocks!
.
Generate the MD5 hash for the URL using the following:
$ echo -n 'videos/wasm-tutorial.mp4WASM_rocks!' | openssl md5 -hex
ab94570897eeba7fa391edc4da08c967
Issue an HTTP HEAD request using curl
to test that you have access to the
resource.
curl --head localhost:8080/downloads/ab94570897eeba7fa391edc4da08c967/videos/wasm-tutorial.mp4