3

Trying to use /update-cache/ requests to update some AMP pages, but i'm getting 403 errors.

Removed the opening part/protocol from the urls since i don't have the reputation to post this many links, but everything is https.

I have a page at: www.qponverzum.hu/ajanlat/budapest-elozd-meg-a-hajhullast-mikrokameras-hajdiagnosztika-hajhagyma-es-fejborvizsgalattal-tanacsadas-5000-ft-helyett-2500-ft-ert-biohajklinika-szepsegapolas-egeszseg/amp

From the AMP cache: www-qponverzum-hu.cdn.ampproject.org/c/s/www.qponverzum.hu/ajanlat/budapest-elozd-meg-a-hajhullast-mikrokameras-hajdiagnosztika-hajhagyma-es-fejborvizsgalattal-tanacsadas-5000-ft-helyett-2500-ft-ert-biohajklinika-szepsegapolas-egeszseg/amp

I've been following the documentation at developers.google.com/amp/cache/update-ping

If i make an /update-ping request, it seems to work fine, returns a 200 no content response, but due to the high amount of urls/pages we would like to use /update-cache since it allows for a higher request rate.

I've created a private and public RSA key and made the public key acessible at www.qponverzum.hu/.well-known/amphtml/apikey.pub

I've been trying to use the following php code to generate the update-cache url

$ampBaseUrl = "https://www-qponverzum-hu.cdn.ampproject.org";
$signatureUrl = '/update-cache/c/s/www.qponverzum.hu/ajanlat/budapest-elozd-meg-a-hajhullast-mikrokameras-hajdiagnosztika-hajhagyma-es-fejborvizsgalattal-tanacsadas-5000-ft-helyett-2500-ft-ert-biohajklinika-szepsegapolas-egeszseg/amp?amp_action=flush&_ts='.time();

// opening the private key
$pkeyid = openssl_pkey_get_private("file://private-key.pem");

// generating the signature
openssl_sign($signatureUrl, $signature, $pkeyid)

// urlsafe base64 encoding
$signature = urlsafe_b64encode($signature);

// final url for updating
$ampUrl = $ampBaseUrl.$signatureUrl."&amp_url_signature=".$signature;

The urlsafe_b64encode function I'm using:

function urlsafe_b64encode($string) {
    return str_replace(array('+','/','='),array('-','_',''), base64_encode($string));
}

$ampUrl ends up looking like this: https://www-qponverzum-hu.cdn.ampproject.org/update-cache/c/s/www.qponverzum.hu/ajanlat/budapest-elozd-meg-a-hajhullast-mikrokameras-hajdiagnosztika-hajhagyma-es-fejborvizsgalattal-tanacsadas-5000-ft-helyett-2500-ft-ert-biohajklinika-szepsegapolas-egeszseg/amp?amp_action=flush&amp_ts=1500362660&amp_url_signature=NjTCnmqUGpMY_CokGxchoczSOxnTLQvcQsX4fv2gIhW3H8hVw24mKCpmNoyV-9LND3OAR9ld80KeMH3lip863p_wBorIy1BAag7bRfvWcxsPrbqbox87VMrUWCEsry5epWxKYl2qNCT1GMv8SYAJ5WR0QZR0Qjvw5MXfZjohmbvrxJ7mWlc7fcvWoIXuO_q_yFkhi7A-fOZWm9sy8UDIlq-zNEPkVUwfqfWc_HbNHgvrk9Z6zZSNzB-dWAOT6QYAc1KeEVOIbvQxKkLkGMArTpydj5iLxz0aERvglKRl215Bqh6_jZu95T5yKv7X4R127ylpWYW2YDlTR9bgRE7Faw

If I make a simple GET request to this url(with a browser or curl) i get a 403 error('Your client does not have permission to get URL').

I've checked the webserver logs, but it doesn't seem like there're any requests made to the public keys url.

I think I'm missing something very obvious, so any feedback would be greatly appreciated.

Bachcha Singh
  • 3,850
  • 3
  • 24
  • 38
Tamás Liska
  • 31
  • 1
  • 2

3 Answers3

3

There's an error in $signatureUrl - it should be amp_ts instead of _ts in the query params and in openssl_sign add the fourth parameter openssl_sign($signatureUrl, $signature, $pkeyid, OPENSSL_ALGO_SHA256);

The signature needs to be signed with SHA256, if you omit the last parameter it uses SHA1

I've used your script with these 2 changes for my work project and it's working fine.

It should return "OK" in the response body if it's fine.

Check this https://gist.github.com/krzysztofbukowski/739ccf4061d69360b5b2c8306f5878bd

Krzysztof Bukowski
  • 31
  • 2
2

Try to set the response content type to "text/plain" for https://www.qponverzum.hu/.well-known/amphtml/apikey.pub as recommended in here

=========

I use the script for update cache, but I got the 403 forbidden error. It's hard to debug and find out the root cause. Did someone succed?

Shudy
  • 7,806
  • 19
  • 63
  • 98
kul3r4
  • 351
  • 1
  • 6
1

All the other answers have really helped - thanks. I'm adding a little here which may hopefully also help.

As @kul3r4 points out (I missed it first time round) the apikey.pub file needs to be served as plain text. Here is the Nginx config rule for that;

    location /.well-known/amphtml/apikey.pub { ## serve amp public key as plain/text
         default_type text/plain;
    }

If you are echoing out @Krzysztof Bukowski's answer to the screen, the fact that &amp is in the url parameters means my browser was stripping out the amp part of the amp_ts and amp_url_signature so be aware of that.

If you are struggling with the file paths and syntax of this;

    $pkeyid = openssl_pkey_get_private("file://amp-private-key.pem");

Then just follow this answer here and put the contents of your private key in a variable -> Openssl and PHP

McNab
  • 6,767
  • 4
  • 35
  • 55