Loading ...mod_secdownload - Lighttpd Create Secure Download Area with Unique Download URL
Lighttpd handle secured download mechanisms using mod_secdownload modules. It uses the lighttpd webserver and the internal HTTP authentication using secrete password. This module use the concept called authenticated URL for a specified time. Each unique url remains valid for a specified time.
Your application has to generate a token and a timestamp which are checked by the webserver before it allows the file to be downloaded by the webserver.
URL Format
The generated URL has to have the format:
<uri-prefix>/<token>/<timestamp-in-hex>/<rel-path>
Which looks like
http://theos.in/dl/6262df3adba2bc85846e05440fcc3895/4804f986/file.zip
is an MD5 of
- a secret string (user supplied)
- <rel-path> (starts with /)
- <timestamp-in-hex>
Understanding filesystem layout
- Domain name: theos.in
- Webroot : /home/lighttpd/theos.in/http/
- Download location : /home/lighttpd/download-area/ (you must upload all download files here)
- Download url : http://theos.in/dl/<token>/<timestamp-in-hex>/file.zip
Make sure /home/lighttpd/download-area/ directory exists:
# mkdir -p /home/lighttpd/download-area/
# chown lighttpd:lighttpd /home/lighttpd/download-area/
Configuration
Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following configuration:
secdownload.secret = "MySecretSecurePassword" secdownload.document-root = "/home/lighttpd/download-area/" secdownload.uri-prefix = "/dl/" secdownload.timeout = 3600
Where.
- secdownload.secret : Your password; it must not be shared with anyone else
- secdownload.document-root : Download file system location, must be outside domain webroot / documentroot
- secdownload.uri-prefix : url prefix such as /dl/ or /download/
- secdownload.timeout : Set timeout for each unique url in seconds
Save and close the file. Restart lighttpd:
# service lighttpd restart
Sample PHP Download Script
<?php $secret = "MySecretSecurePassword"; $uri_prefix = "/dl/"; # set filename $f = "/file.zip"; # set current timestamp $t = time(); $t_hex = sprintf("%08x", $t); $m = md5($secret.$f.$t_hex); # finally generate link and display back on screen printf('<a href="%s%s/%s%s" class="broken_link">%s</a>',$uri_prefix, $m, $t_hex, $f, $f); ?>
410 Gone HTTP Error Code
After timeout; unique url will be gone and end user will get 410 http status code. It indicates that the resource requested is no longer available and will not be available again. So if anybody deeplinked or hotlinked your content it will be gone after timeout.
Further readings:
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or full RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in...
- Lighttpd redirect www.domain.com requests to domain.com or vice versa
- Lighttpd 1.5 fastcgi php mod proxy backend fastcgi configuration howto
- Configure lighttpd alias (mod_alias)
- Lighttpd restrict or deny access by IP address
- Lighttpd howto setup cgi-bin access for perl programs
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: authentication, document root, md5, mod_secdownload, secure download url, timestamp, token, url ~ Last updated on: April 15, 2008
thanks for tutorial
you need to add
server.modules = ( …, “mod_secdownload”, … )
in conf file too.