Varnish S3-like, signed, time-limited request before delivering objects, in VCL

Question

This question may seem a bit odd, but is it possible, with a poor-mans solution in VCL, to parse a signed request (with a shared secret key, aka poor-mans solution of HMAC), created by the referrer (main) site, and only serve the content from varnish if the signature is correct and the (signed) timestamp hasn't expired?

That is, similar to how Amazon S3 is works, where you can easily create a signed temporary URL to your S3-object that will expire in a defined amount seconds.

Note: I'm not talking about cache object expiry here, but URL-expiration for the client.

It gets handy when you only want to give out temporary URL's to your users to prevent long-term hotlinking without checking the referrer-header.

So - A poor-mans-solution to temporary URL's in VCL (preferrably in the vcl_recv ) making the internal object expire). Is it possible without making a VMOD?

Edit:

I found another way of authorizing content with Varnish:

http://monolight.cc/2011/04/content-authorization-with-varnish/

But it's still not what I want to achieve.

Best regards!

Answer 1

Yes, this is possible.

In essence you need to verify the signature (digest vmod), pick out the timestamp from whatever header it is in (regsub), and compare it to the current time.

Use std.integer() to cast the timestamp:

https://www.varnish-cache.org/docs/trunk/reference/vmod_std.html#integer

use the built in now variable in VCL to find the current timestamp. You might want to do (now + 0s) to force Varnish to give you a unix timestamp.

https://www.varnish-cache.org/docs/trunk/reference/vcl.html#variables

The digest vmod is on github:

https://github.com/varnish/libvmod-digest

Answer 2

There is already a VMOD for this, if that helps?

Varnish Secure Download Module