Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/google/ngx_token_binding

NGINX module for Token Binding
https://github.com/google/ngx_token_binding

Last synced: 3 months ago
JSON representation

NGINX module for Token Binding

Host: GitHub
URL: https://github.com/google/ngx_token_binding
Owner: google
License: apache-2.0
Created: 2016-11-14T04:00:10.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2023-01-09T02:21:31.000Z (over 1 year ago)
Last Synced: 2023-04-09T06:27:11.559Z (about 1 year ago)
Language: C
Homepage:
Size: 17.6 KB
Stars: 44
Watchers: 6
Forks: 16
Open Issues: 1
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Lists

awesome-bazel - ngx_token_binding

README

# ngx_token_binding

This NGINX module provides mechanism to cryptographically bind HTTP cookies
to client's HTTPS channel using Token Binding, as defined by following IETF
drafts:

- [draft-ietf-tokbind-protocol](https://tools.ietf.org/html/draft-ietf-tokbind-protocol),
- [draft-ietf-tokbind-negotiation](https://tools.ietf.org/html/draft-ietf-tokbind-negotiation),
- [draft-ietf-tokbind-https](https://tools.ietf.org/html/draft-ietf-tokbind-https).

## Status

This NGINX module is under active development.

## Installation

[Token Bind](https://github.com/google/token_bind) library used by this module
requires support for adding custom TLS extensions, which means that NGINX must
be compiled against [BoringSSL](https://boringssl.googlesource.com/boringssl)
or [patched](https://github.com/google/token_bind/blob/master/example/custom_ext_resume.patch)
[OpenSSL](http://openssl.org/).

To build `nginx` binary with patched OpenSSL:

$ cd nginx-1.x.x
$ ./configure --with-http_ssl_module \
--with-openssl=/path/to/patched/openssl/sources \
--add-module=/path/to/ngx_token_binding
$ make && make install

## Configuration directives

### `token_binding`

- **syntax**: `token_binding on|off`
- **default**: `off`
- **context**: `http`, `server`

Enables negotiation and verification of the Token Binding protocol.

Token Binding ID variables (described below) are going to be available when
client successfully negotiates Token Binding.

### `token_binding_cookie`

- **syntax**: `token_binding_cookie |all|none`
- **default**: `none`
- **context**: `http`, `server`

Binds selected `` (or all) to client's HTTPS channel and verifies that
properly bound cookies are received from the client.

Because Token Binding ID can be established only over HTTPS, `Secure` attribute
is going to be added to cookies bound this way. Also, such cookies are going to
be removed from HTTP requests and responses.

### `token_binding_secret`

- **syntax**: `token_binding_secret `
- **default**: `none`
- **context**: `http`, `server`

Secret used to bind cookies using `token_binding_cookie` directive.

## Variables

### `$provided_token_binding_id`

Returns `base64url(sha256(ProvidedTokenBindingID))` if client negotiated
Token Binding.

### `$provided_token_binding_key_type`

Returns key type of `ProvidedTokenBindingID` if client negotiated Token Binding.

### `$referred_token_binding_id`

Returns `base64url(sha256(ReferredTokenBindingID))` if client negotiated
Token Binding.

### `$referred_token_binding_key_type`

Returns key type of `ReferredTokenBindingID` if client negotiated Token Binding.

## Contributing

See [Contributing](CONTRIBUTING.md).

## License

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

## Disclaimer

This is not an official Google product.