Accept cookies for analytics, social media, and advertising, or learn more and adjust your preferences. These cookies are on by default for visitors outside the UK and EEA. Privacy Notice.
ngx_http_secure_download_module - a module that enables you to create links which are only valid until a certain datetime is reached. The way it works is similar to lightttpd’s mod_secdownload, but not exactly same.
Syntax: | secure_download [ on | off ] |
---|---|
Default: | off |
Context: | location |
This can turn the module on/off.
Syntax: | secure_download_secret <secret string> |
---|---|
Default: | none |
Context: | location |
Defines the string which is included in the md5 hash. It can also contain variables.
Syntax: | secure_download_path_mode [ file | folder ] |
---|---|
Default: | folder |
Context: | location |
This defines if the md5 hash has to be done for the full path, including filename, or just the folders which contain the file, without the filename. Depending on this your link will be valid either for a whole directory, or only for one file.
Note
The way this works is simply that if you specify folder
, it will drop the last part of the accessed path and to the hash on the rest. This means that if you use a path which doesn’t specify a filename, because you maybe want to access the index.html or you rely on some rewriting, you better specify file
to make it match the full path.
This variable contains the result of the request URL validation process. It always contains a number and can have the following possible values:
A generated URI must have the following format:
<real_path>/<md5_hash>/<expiration_timestamp>
the md5 hash gets generated out of the following string:
<real_path>/<secret (user supplied)>/<expiration_timestamp>
real_path
can be either the path of the file which you want to access or the folder which contains the file, which of those two has to be defined in the NGINX configsecret
is some random string which must be known by the NGINX config and by the link generating scriptexpiration_timestamp
is a unix_timestamp (seconds since beginning of 1970) in hexadecimal formaLets say you have a file in your document root under the path /somefolder/protected.html
. Now you want to generate a link which expires in 20 minutes, so you do following:
1240928342
49F71056
/somefolder/protected.html/privatestring/49F71056
which consists of <real path/secret string/timestamp in hex
f901b5272c17b456fabf49c3e9bcc120
<real_path>/<md5>/<timestamp>
in our example this would look like /somefolder/protected.html/f901b5272c17b456fabf49c3e9bcc120/49F71056
Now your config could look like following:
location /somefolder {
secure_download on;
secure_download_secret IAmSalt$remote_addr;
secure_download_path_mode file;
if ($secure_download = "-1") {
rewrite /expired.html break;
}
if ($secure_download = "-2") {
rewrite /bad_hash.html break;
}
if ($secure_download = "-3") {
return 500;
}
rewrite ^(.*)/[0-9a-zA-Z]*/[0-9a-zA-Z]*$ $1 break; // crop all the /hash/time stuff off the url
}
OR:
location /secured {
secure_download on;
secure_download_path_mode file;
secure_download_secret DontCopyMyPics$remote_addr;
if ($secure_download !~ "^-.") {
rewrite ^/secured(.*)/[0-9a-zA-Z]*/[0-9a-zA-Z]*$ $1 last;
}
if ($secure_download = "-1") {
rewrite . /static/expired.html last;
}
if ($secure_download = "-2") {
rewrite . /static/bad_hash.html last;
}
return 500;
}
location / {
internal;
root html;
}
location /static {
root static;
}
To compile the NGINX with this module you will need to have following:
In case you find any bugs, please write me a mail and I will try to help.
If you are using that module, I would appreciate every kind of feedback or problem reports.
I tried to give some meaningful output in the error log if you set its log level to debug.
Mail: mauro.stettler(A.T)gmail.com