Shout out to all you Akamaized folks our there. I thought I would share some of my homework from the last week or so. I have been working on a managed module for IIS origin on Windows Server to support the Akamai Ghost to Origin / G2O / signature auth feature. I thought I would share the work here for others to reuse.
Overview of G2O:
Akamai edge servers adds 2 headers, 1 containing the parameters of the authentication and 1 containing a hash of these with a secret key. The actual authentication is performed by the origin server.
version 1: MD5(key,data,sign-string)
version 2: MD5(key,MD5(key,data,sign-string))
version 3: MD5-HMAC(key,data,sign-string)
version 4: SHA1-HMAC(key,data,sign-string)
version 5: SHA256-HMAC(key,data,sign-string)
Overview of IIS modules
This page Developer Story Internet Information Services shows how the IIS 7 integrated pipeline handler works. I am working as a custom managed module that executes AFTER the handler for HTTP smooth streaming, hence the code has a workaround for that. I may look to solve this another way i.e make a handler or even a native module.
I started with some C# in the App_Code directory of my IIS application to recognise the headers X-Akamai-G2O-Auth-Data and X-Akamai-G2O-Auth-Sign, my friend helped me optimise the code and add some web.config stuff.
The module loads config from web.config when it initialises, then processes each request in the following order
get time, url & querystring : this data is taken from the local server clock and request parameters and used further on:
ism || isml : this is used to determine whether the request is for smooth streaming. This is because the smooth handler is actioned BEFORE the auth module and the smooth module appears to rewrite the URL i.e BigBuckBunny.ism/Manifest => BigBuckBunny.ism?Manifest
apply MSS fix to url : this will unrewrite the URL to ensure the URL input to the hash matches. i.e BigBuckBunny.ism?Manifest => BigBuckBunny.ism/Manifest
URL has valid UA: This is to bake into the module some User Agent checking. this can be achieved elsewhere in IIS, but included here anyway.
Does regex match: For the case that only a subset of content needs to be authenticated, a regex can be used to select that content.
Headers exist: This checks for the 2 Akamai headers X-Akamai-G2O-Auth-Data and X-Akamai-G2O-Auth-Sign, splits the data header and count the fields are correct.
epoch within timewindow check the server epoch tiem with the header epoch time, and ensures it is within the configured window
hash params: this is where the key is looked up, using the nonce and the actual hash is calculated in one of the 5 modes.
hash match: the last and important check, to ensure the hash calculated matches the akamai hash.
Things I would like to add:
- More statics loaded in the configuration
- Support for multiple Regex
- Support for handler workarounds in configuration
- Support for replay protection
- A configuration form in IIS GUI
I have made the code available on here. I cant speak for its performance right now, I dont even think we will use it in any production environment ourselves, just in our test labs, and it is offered without any warranty
Feel free to comment and suggest updates. I wont be upset if you comment harshly, software development is by no means my day job!
I will likely put it on github when it is a bit more complete and I remove all the references to "BT"