Google Git
Sign in
apache / httpd / 40b8cb4e81fe2c1ad9838fdc78e6da46ce848278 / . / docs / manual / mod / mod_crypto.html.en.utf8
blob: 2d821ce575731653fce63f5d368603459d9a6dda [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>mod_crypto - Apache HTTP Server Version 2.5</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.5</a> &gt; <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_crypto</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/mod/mod_crypto.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/mod/mod_crypto.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Support for symmetrical encryption and decryption</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>crypto_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_crypto.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.5 and later</td></tr></table>
<h3>Summary</h3>
<p>This module provides the ability to <strong>encrypt and decrypt</strong>
data on the input and output filter stacks.</p>
<p>Most specifically, it can be used to implement <strong>on-the-fly HLS
encryption</strong> as described by
<a href="http://www.ietf.org/id/draft-pantos-http-live-streaming-19.txt">
draft-pantos-http-live-streaming-19</a>.</p>
<p>Alternatively, it can be used to deliver secure data over insecure CDN
to suitable clients.</p>
<p>The crypto filter may be added to either the input or the
output filter stacks, as appropriate, using the
<code class="directive"><a href="../mod/core.html#setinputfilter">SetInputFilter</a></code>,
<code class="directive"><a href="../mod/core.html#setoutputfilter">SetOutputFilter</a></code>,
<code class="directive"><a href="../mod/mod_mime.html#addoutputfilter">AddOutputFilter</a></code> or
<code class="directive"><a href="../mod/mod_filter.html#addoutputfilterbytype">AddOutputFilterByType</a></code> directives.</p>
</div>
<div id="quickview"><h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#format">Stream Format</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#config">Keys and IVs</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#handler">Crypto Key Handler</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#hls">HTTP Live Streaming</a></li>
</ul><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#cryptocipher">CryptoCipher</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cryptodriver">CryptoDriver</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cryptoiv">CryptoIV</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cryptokey">CryptoKey</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cryptosize">CryptoSize</a></li>
</ul>
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_crypto">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_crypto">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
<li><a href="../filter.html">Filters</a></li>
<li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="format" id="format">Stream Format</a> <a title="Permanent link" href="#format" class="permalink">&para;</a></h2>
<p>The encrypted stream consists of an optional IV block, followed by encrypted
blocks using the chosen cipher. The final block is padded before being written. The
size of the blocks is governed by the choice of cipher in use.</p>
<p>When the IV is specified with the <code class="directive"><a href="#cryptoiv">CryptoIV</a></code>
directive, that IV is used, and is not written to or read from the stream.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="config" id="config">Keys and IVs</a> <a title="Permanent link" href="#config" class="permalink">&para;</a></h2>
<p>
The
<code class="directive"><a href="#cryptokey">CryptoKey</a></code>
and
<code class="directive"><a href="#cryptoiv">CryptoIV</a></code>
directives expect binary
values which can be specified in a number of ways as below. The most significant bits of the relevant values
are used, and if the values are too short, they are padded on the left
with zero bits.
</p>
<dl>
<dt>file:</dt><dd>Read the value directly from the given file.</dd>
<dt>hex:</dt><dd>Parse the expression as a hex value, which may contain colon separators.</dd>
<dt>decimal:</dt><dd>Parse the expression as a decimal value.</dd>
<dt>base64:</dt><dd>Parse the expression as a base64 value.</dd>
<dt>none</dt><dd>No value is specified.</dd>
</dl>
<p>If the IV is unspecified a random IV will be generated during
encryption and written
as the first block. During decryption, the first block will be
interpreted as the IV.
</p>
<p>With the exception of file:, the <code class="directive"><a href="#cryptokey">CryptoKey</a></code>
and <code class="directive"><a href="#cryptoiv">CryptoIV</a></code> directives allow
<a href="../expr.html">expression syntax</a> to provide flexibility when setting the values.
This allows both keys and IVs to be salted with values available to the webserver, such
as REMOTE_USER, or the URL.
</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="handler" id="handler">Crypto Key Handler</a> <a title="Permanent link" href="#handler" class="permalink">&para;</a></h2>
<p>For convenience, the <strong>crypto-key</strong> handler can be used to serve the key
to suitably authorized clients, removing the need to store the key within the directory
space of the webserver. This also allows the same <a href="../expr.html">expression
syntax</a> to be used to derive the key for both the clients and the encrypted content.</p>
<div class="example"><h3>Crypto Key Handler with a File</h3><p><code>
&lt;Location /key&gt;<br />
<span class="indent">
SetHandler crypto-key<br />
CryptoCipher aes128<br />
CryptoKey file:/path/to/file.key<br />
AuthType basic<br />
...<br />
</span>
&lt;/Location&gt;<br />
</code></p></div>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="hls" id="hls">HTTP Live Streaming</a> <a title="Permanent link" href="#hls" class="permalink">&para;</a></h2>
<p>The HLS protocol supports encrypted streams using the AES-128 cipher and a
corresponding key. Access is granted to the stream by sharing the key with
the HLS client, typically over a secured connection.</p>
<p>The IV used for encrypting each media segment is specified within
HLS in one of two ways:</p>
<ul>
<li>
Explicitly specified within an IV attribute inside the EXT-X-KEY
tag as a <strong>hexadecimal</strong> value.
</li>
<li>
Implicitly specified by interpreting the <strong>decimal</strong>
value of the EXT-X-MEDIA-SEQUENCE tag.
</li>
</ul>
<p>The media sequence value is usually embedded within the media
segment filenames, and can be matched by using named regular
expressions as per the example below.
</p>
<div class="example"><h3>HLS Example - IV from media sequence</h3><p><code>
&lt;LocationMatch (?&lt;SEQUENCE&gt;[\d]+)[^\d^/]+$&gt;<br />
<span class="indent">
SetOutputFilter ENCRYPT<br />
CryptoCipher aes128<br />
CryptoKey file:/path/to/file.key<br />
CryptoIV decimal:%{env:MATCH_SEQUENCE}<br />
</span>
&lt;/LocationMatch&gt;<br />
</code></p></div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="CryptoCipher" id="CryptoCipher">CryptoCipher</a> <a name="cryptocipher" id="cryptocipher">Directive</a> <a title="Permanent link" href="#cryptocipher" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Cipher to be used by the crypto filter</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CryptoCipher name</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CryptoCipher aes256</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_crypto</td></tr>
</table>
<p>The <code class="directive">CryptoCipher</code> directive allows specification of
the cipher to be used during encryption or decryption. If not specified, the
cipher defaults to <code>aes256</code>.</p>
<p>Possible values depend on the crypto driver in use, and could be one of:</p>
<ul><li>3des192</li><li>aes128</li><li>aes192</li><li>aes256</li></ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="CryptoDriver" id="CryptoDriver">CryptoDriver</a> <a name="cryptodriver" id="cryptodriver">Directive</a> <a title="Permanent link" href="#cryptodriver" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Name of the crypto driver to use</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CryptoDriver name</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CryptoDriver openssl</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_crypto</td></tr>
</table>
<p>The <code class="directive">CryptoDriver</code>
directive specifies the name of the crypto driver to use. There is usually
a recommended default driver on each platform. Possible values include
<strong>openssl</strong>, <strong>commoncrypto</strong> and
<strong>nss</strong>.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="CryptoIV" id="CryptoIV">CryptoIV</a> <a name="cryptoiv" id="cryptoiv">Directive</a> <a title="Permanent link" href="#cryptoiv" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>IV (Initialisation Vector) to be used by the crypto filter</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CryptoIV value</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CryptoIV none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_crypto</td></tr>
</table>
<p>The <code class="directive">CryptoIV</code> directive allows the IV (initialisation
vector) to be specified for the particular URL space. The IV can be read from
a file, or can be set based on the <a href="../expr.html">expression parser</a>,
allowing for flexible scenarios for the setting of keys.</p>
<p>Values can be specified as read from a file, or as a hexadecimal, decimal or
base64 value based on the following prefixes:</p>
<ul><li>file:</li><li>hex:</li><li>decimal:</li><li>base64:</li></ul>
<p>The value 'none' disables setting of the IV. In this case, during encryption
a random IV will be generated and inserted as the first block, and during
decryption the first block will interpreted as the IV.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="CryptoKey" id="CryptoKey">CryptoKey</a> <a name="cryptokey" id="cryptokey">Directive</a> <a title="Permanent link" href="#cryptokey" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Key to be used by the crypto filter</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CryptoKey value</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CryptoKey none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_crypto</td></tr>
</table>
<p>The <code class="directive">CryptoKey</code> directive allows the encryption / decryption
key to be specified for the particular URL space. The key can be read from a file, or
can be set based on the <a href="../expr.html">expression parser</a>, allowing for
flexible scenarios for the setting of keys.</p>
<p>Values can be specified as read from a file, or as a hexadecimal, decimal or
base64 value based on the following prefixes:</p>
<ul><li>file:</li><li>hex:</li><li>decimal:</li><li>base64:</li></ul>
<p>The value 'none' disables the key. An attempt to serve a file through the ENCRYPT
or DECRYPT filters without a key will cause the request to fail.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="CryptoSize" id="CryptoSize">CryptoSize</a> <a name="cryptosize" id="cryptosize">Directive</a> <a title="Permanent link" href="#cryptosize" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Maximum size in bytes to buffer by the crypto filter</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CryptoSize integer</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CryptoSize 131072</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_crypto</td></tr>
</table>
<p>The <code class="directive">CryptoSize</code>
directive specifies the amount of data in bytes that will be
buffered before being encrypted or decrypted during each request.
The default is 128 kilobytes.</p>
</div>
</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_crypto.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/mod/mod_crypto.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
<script type="text/javascript"><!--//--><![CDATA[//><!--
var comments_shortname = 'httpd';
var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_crypto.html';
(function(w, d) {
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
d.write('<div id="comments_thread"><\/div>');
var s = d.createElement('script');
s.type = 'text/javascript';
s.async = true;
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
}
else {
d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
}
})(window, document);
//--><!]]></script></div><div id="footer">
<p class="apache">Copyright 2020 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
prettyPrint();
}
//--><!]]></script>
</body></html>