decoding base64 signed urls in varnish

-
Fronting imgproxy with varnish, to honor old url base64 signed urls

the javascript file


vcl 4.0;
import blob;
import digest;
# Default backend definition. Set this to point to your content server.
backend default {
    .host = "127.0.0.1";
    .port = "8080";
}
sub vcl_init {

}

sub vcl_recv {
    set req.http.base64part = regsub(req.url, "^/testpath/(.*)\.(.*)$", "\1");
    set req.http.base64ashex = blob.transcode(encoding=HEX, decoding=BASE64URL, encoded=req.http.base64part);
    set req.http.imghash-hex = regsub(req.http.base64asHex, "^(.{0,64})(.*)$", "\1");
    set req.http.imgauth-hex = regsub(req.http.base64asHex, "^(.{0,64})(.{0,32})(.*)$", "\2");
    set req.http.imgparms-hex = regsub(req.http.base64asHex, "^(.{0,96})(.*)$", "\2");
    set req.http.imgparms = blob.transcode(encoding=IDENTITY, decoding=HEX, encoded=req.http.imgparms-hex);


    set req.http.genimgauth = digest.hash_md5(req.http.imghash-hex + "-" + req.http.imgparms + "-" + "mymagicsecret");
    if (req.http.genimgauth == req.http.imgauth-hex) {
     set req.http.imgsig="good";
    } else {
     set req.http.imgsig="bad";
    }

    unset req.http.decodedUrl;
    unset req.http.imghash;
    unset req.http.imgauth;

    set req.http.fileExt = regsub(req.url, "^/ddimgnew/(.*)\.(.*)$", "\2");
    set req.http.origurl = req.url;
    set req.http.bucketUrl = regsub(req.http.imgparms, "(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)", "\1");

    set req.http.imgFormat = "jpg";
    if (req.http.fileExt == "webp") {
     set req.http.imgFormat = "webp";
    }

    if (regsub(req.http.imgparms, ".*\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)", "\3") != "") {
     set req.http.imgMode = "fit";
     set req.http.imgH = regsub(req.http.imgparms, ".*\|(\d+)x(\d+)\|.*", "\1");
     set req.http.imgW = regsub(req.http.imgparms, ".*\|(\d+)x(\d+)\|.*", "\2");
    }

    if (regsub(req.http.imgparms, ".*\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)\|(.*)", "\6") != "") {
     set req.http.imgMode = "fill";
     set req.http.imgH = regsub(req.http.imgparms, ".*\|(\d+)x(\d+)\|.*", "\1");
     set req.http.imgW = regsub(req.http.imgparms, ".*\|(\d+)x(\d+)\|.*", "\2");
    }

    set req.http.imgproxyUrl = "mangled/" + req.http.imgMode + "/" + req.http.imgH + "/" + req.http.imgW + "/ce/0/plain/" + req.http.bucketUrl + "@" + req.http.imgFormat;
    set req.url = "/mangled/" + req.http.imgMode + "/" + req.http.imgH + "/" + req.http.imgW + "/ce/0/plain/" + req.http.bucketUrl + "@" + req.http.imgFormat;

    return (hash);
}

sub vcl_deliver {
    set resp.http.imgsig = req.http.imgsig;
    set resp.http.origurl =  req.http.origurl;
    set resp.http.backendurl = req.url;
}
sub vcl_hash {
    hash_data(req.url);
    if (req.http.host) {
        hash_data(req.http.host);
    } else {
        hash_data(server.ip);
    }
    return (lookup);
}

sub vcl_backend_fetch {
    return (fetch);
    }

Comments

Post a Comment

Popular posts from this blog

Baileys liquor Chocolate Chip and Cream desert

-
Simple and very very very yummy. Prepare today for tomorrow 1-2 pks (14 biscuits approx but depends on size) of really good quality double chocolate chip cookies 100ml Baileys Cream Liqueur 250ml Cream, whipped Chocolate Shavings, Drops to decorate, or Cadburys Flake broken up, or sprinkle of cocoa Use a 9" spring form tin otherwise its tricky to remove the finished cake Pour the Bailey into a bowl One by one, dip or soak (depending on how strong you want it) the biscuits into the Baileys Once each on is soaked place in the tin until you have a layer Cover and spread evenly the freshly whipped cream Repeat the dipping processing and make another layer on top of the cream Cover and spread with cream again Sprinkle with the chocolate shavings or drops or flake etc to decorate Leave in the fridge overnight to allow the biscuits to absorb the cream mixture Remove from fridge just before serving and enjoy !!! (Increase quantities of Baileys and biscuits as required) Serve as is without
Read more

nginx decode base64 url for use with imgproxy

-
 i've been testing imgproxy, to handle our image serving needs, and it looks good. our existing servers are php based, and we sign and encode our urls for images.  To test out imgproxy , I wanted to simply drop it in as a replacement for our servers by sending a % of traffic.  There are many ways to do this, varnish was one, with custom code, but nginx is our go-to web server, so I had to find a way to have nginx sit in front of imgproxy and rewrite the decoded url. I settled on using njs, the cut down version of javascript that plugs into nginx as a loadable module.  Then use proxy_pass to pass the uri to javascript that will return the imgproxy compatable url, and proxy to it. a sample url would be http://foo.bar/images/c2lnbmF0dXJlZm9vaHR0cDovL3MzLWV1LXdlc3QtMS5hbWF6b25hd3MuY29tL215YnVja2V0b2ZwaG90b3MvcGhvdG9fb2ZfYV9jYXQ1fHx8MTIwMHgxMjAwfHx8fHx8fHw==.jpeg it has a sig, a bucket url, and parameters like image size. Getting nginx setup nginx.conf load_module modules/ngx_http_js
Read more

using t1n1wall, opnsense or pfsense on Google Compute Engine GCE

-
I have been doing some work in GCP recently, both appengine , and GCE.  We wanted to make sure all our instances were on private ips and only the LBs had internet ips. This gave us the problem of how to allow our instances reach the internet for updates or for api calls outside. In AWS you had a NAT gateway, but in GCP this doesn't exist. So I set about looking at the easiest way to do NAT from a private IP subnet to a Public address.  I am very familiar with m0n0wall and t1n1wall and a tiny bit with pfsense and less with opnsense. The tl;dr is that all these distributions ship an image which within the distribution there is a disk image.  Taking this internal image, renaming it and re-compressing it is all you need to do to get it working in GCE. you can configure it via the serial port using these instructions  There are guides out there around doing things with Linux and stuff, but you can skip that step. I took the latest version of t1n1wall 2.11 , got the simple a
Read more