Using nginscript as a file distribution service with permission

There was a previous one with permission verification CDN service , There is no synchronized opening of overseas CDN, Has been using a Hong Kong server to provide file services . In order to achieve and CDN The same authority algorithm , Yes, it is Node Made server .JS Of course, it is very easy to do permission verification logic , however Node It's a little too much to do file service , Read file streams , Write http flow , I don't know how to realize zero copy , There seems to be a memory leak that can't be located , After a few days of service, I will die for no reason , And write a monitor to pull it up .

In fact, I always know Nginx+Lua Maybe the best solution , But think about learning a language that seems useless in other situations …… let Node Restart the service .

Until I found out NginScript（NJS）, This is very suitable for javascript This stateless computing service is embedded in the file distribution process .

Install the latest Nginx+NJS, Server is CentOS 8.2, The corresponding rpm package ：

rpm -Uvh https://nginx.org/packages/centos/8/x86_64/RPMS/nginx-1.20.1-1.el8.ngx.x86_64.rpm
rpm -Uvh https://nginx.org/packages/centos/8/x86_64/RPMS/nginx-module-njs-1.20.1%2B0.7.0-1.el8.ngx.x86_64.rpm

The file has been COS Internal management , adopt COS Distribute to CDN Of , The simplest way is to let Nginx distribution COS The best way is to use COSFS hold bucket Mount to /mnt Under the table of contents . however 8.0+ Of CentOS For system yum install COSFS Is not compatible with , To download and compile ：

 yum install automake gcc-c++ git libcurl-devel libxml2-devel fuse-devel make openssl-devel fuse
git clone https://github.com.cnpmjs.org/tencentyun/cosfs /usr/cosfs
cd /usr/cosfs
./autogen.sh
./configure
make
sudo make install
cosfs --version

github Visits are often disconnected , Changed the acceleration site github.com.cnpmjs.org To download to .

Because you need permission to access files , So it is mounted COS The catalog of somewhere Not directly in Nginx Li is open to the outside world , Be open to the inside , Only authenticated requests are allowed to be downloaded by internal redirection ：

    load_module modules/ngx_http_js_module.so;
    ......
    http {
    ......
    js_import http.js;
    ......
    
    location /somewhere{
        internal;
        root /mnt/somewhere/;
    }
    
    location / {
        js_content http.redirect;
    }

From the outside http Request directly to http.js You can access only after you have passed the authentication somewhere：

function redirect(r) {
	for(var i in headers){
		r.headersOut[i]=headers[i];
	}

	if(r.method == "OPTIONS"){
		r.return(200, "ok");
	}else{
		var pathname = r.uri;
		if(/\.((jpe?g)|(png)|(gif)|(ico)|(html?))$/.test(r.uri)){
			r.internalRedirect('/somewhere'+r.uri);
		}else if(r.args && r.args.data){
			var checkResult = checkAuth(decodeURIComponent(r.args.data));
			if(checkResult){
				r.internalRedirect('/somewhere'+checkResult);
			}else{
				r.internalRedirect('/somewhere/404.html');
			}
		}else{
			r.internalRedirect('/somewhere/404.html');
		}
	}
}

export default {redirect};

Authentication algorithm ：

function checkAuth(fullpath){
	const crypto = require('crypto'),
	rFullPath = /https:\/\/www.myDomainName.com([^\.]*\.mp3)\?sign=([\d]+)\-([0-9a-z]+)\-([0-9]+)\-([0-9a-f]+)/ ;
	cdnkey = "my-cdn-key...................";
	if(!rFullPath.test(fullpath)){
		return false
	} ;
	var t=fullpath.match(rFullPath);
	var path=t[1],timestamp=t[2],rand=t[3],uid=t[4],md5=t[5]
	var timeDiff = Date.now()-timestamp;
	if(timeDiff>3600000){
		return false	
	}
	var data = path+"-"+timestamp+"-"+rand+"-"+uid+"-"+cdnkey;
	if (md5 == crypto.createHash('md5').update(data).digest("hex")){
		return decodeURI(path)
	};
	return false;
}

All over the world JS Is a , Most of the code logic starts from Node You can use it directly after you dig it out of the service program .

That's how it works NginScript Simply reprint Tencent cloud CDN Static file distribution with validation .