All geek questions in one place

Decrypt the OpenSSL binary via NGINX as it is received ("on the fly")

I have a small built-in Linux device with 128 MB flash memory for working with a notebook. This device runs the NGINX web server. To perform a firmware update - the system receives the encrypted binary file as HTTPS POST via NGINX to notepad. The system then decrypts the file and another QSPI flash device flashes to complete the update.

The firmware binary file is encrypted outside the device as follows:

openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem

The firmware binary file is decrypted after being received via NGINX on the device as follows:

openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password

I would really like to decrypt the binary, since it was received (on the fly) through NGINX, so it appears on the flash notebook in its decrypted form.

I could not find any existing NGINX modules on Google that would do this. How can i do this? Thank.

+4
source share
2 answers

First of all, you need to understand one thing. While nginx decrypts the file, all other requests will be blocked. Therefore, nginx does not support CGI, but only FastCGI.

(, nginx ), perl lua: http://nginx.org/en/docs/http/ngx_http_perl_module.html, https://github.com/openresty/lua-nginx-module

, exec shell. client_body_in_file_only - https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_in_file_only

perl ():

location /upload {
  client_body_in_file_only clean;
  perl 'sub {
    my $r = shift;
    if ($r->request_body_file) {
       system("openssl smime -decrypt -binary -in ".$r->request_body_file." -inform DER -out /tmp/decrypted.zip -inkey private.key -passin pass:your_password");
    }
  }';
}

fastcgi. wcper fastcgi, fcgiwrap https://www.nginx.com/resources/wiki/start/topics/examples/fcgiwrap/

+3

, , Apache, Slowloris, HTTP-, ( , , , , , nginx, ).

-, nginx . , …_request_buffering:

, , pipe openssl .

, /dev/fd/0 , stdin ( , - ).

+1

Source: https://habr.com/ru/post/1667085/

More articles:


All Articles