Lighttpd handle secured download mechanisms using mod_secdownload modules. It uses the lighttpd webserver and the internal HTTP authentication using secrete password. This module use the concept called authenticated URL for a specified time. Each unique url remains valid for a specified time.
Your application has to generate a token and a timestamp which are checked by the webserver before it allows the file to be downloaded by the webserver.
URL Format
The generated URL has to have the format:
<uri-prefix>/<token>/<timestamp-in-hex>/<rel-path>
Which looks like
http://theos.in/dl/6262df3adba2bc85846e05440fcc3895/4804f986/file.zip
is an MD5 of
- a secret string (user supplied)
- <rel-path> (starts with /)
- <timestamp-in-hex>
Understanding filesystem layout
- Domain name: theos.in
- Webroot : /home/lighttpd/theos.in/http/
- Download location : /home/lighttpd/download-area/ (you must upload all download files here)
- Download url : http://theos.in/dl/<token>/<timestamp-in-hex>/file.zip
Make sure /home/lighttpd/download-area/ directory exists:
# mkdir -p /home/lighttpd/download-area/
# chown lighttpd:lighttpd /home/lighttpd/download-area/
Configuration
Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following configuration:
secdownload.secret = "MySecretSecurePassword" secdownload.document-root = "/home/lighttpd/download-area/" secdownload.uri-prefix = "/dl/" secdownload.timeout = 3600
Where.
- secdownload.secret : Your password; it must not be shared with anyone else
- secdownload.document-root : Download file system location, must be outside domain webroot / documentroot
- secdownload.uri-prefix : url prefix such as /dl/ or /download/
- secdownload.timeout : Set timeout for each unique url in seconds
Save and close the file. Restart lighttpd:
# service lighttpd restart
Sample PHP Download Script
<?php $secret = "MySecretSecurePassword"; $uri_prefix = "/dl/"; # set filename $f = "/file.zip"; # set current timestamp $t = time(); $t_hex = sprintf("%08x", $t); $m = md5($secret.$f.$t_hex); # finally generate link and display back on screen printf('<a href="http://www.cyberciti.biz/">%s</a>',$uri_prefix, $m, $t_hex, $f, $f); ?>
410 Gone HTTP Error Code
After timeout; unique url will be gone and end user will get 410 http status code. It indicates that the resource requested is no longer available and will not be available again. So if anybody deeplinked or hotlinked your content it will be gone after timeout.
Further readings:
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 3 comments… read them below or add one }
thanks for tutorial
you need to add
server.modules = ( …, “mod_secdownload”, … )
in conf file too.
Thanks for information.
A fix in PHP script.
The next line doesn’t show url correctly.
printf('<a href="http://www.cyberciti.biz/" rel="nofollow">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);This line fix the issue.
printf('<a href="%s%s/%s%s" rel="nofollow">%s</a>', $uri_prefix, $m, $t_hex, $f, $f);it did’t work for me, btw where should i put php download file???
thank’s