mod_secdownload – Lighttpd Create Secure Download Area with Unique Download URL

by on April 15, 2008 · 3 comments· LAST UPDATED April 15, 2008

in , ,

Lighttpd handle secured download mechanisms using mod_secdownload modules. It uses the lighttpd webserver and the internal HTTP authentication using secrete password. This module use the concept called authenticated URL for a specified time. Each unique url remains valid for a specified time.

Your application has to generate a token and a timestamp which are checked by the webserver before it allows the file to be downloaded by the webserver.

URL Format

The generated URL has to have the format:

<uri-prefix>/<token>/<timestamp-in-hex>/<rel-path>

Which looks like
http://theos.in/dl/6262df3adba2bc85846e05440fcc3895/4804f986/file.zip

is an MD5 of

  • a secret string (user supplied)
  • <rel-path> (starts with /)
  • <timestamp-in-hex>

Understanding filesystem layout

  • Domain name: theos.in
  • Webroot : /home/lighttpd/theos.in/http/
  • Download location : /home/lighttpd/download-area/ (you must upload all download files here)
  • Download url : http://theos.in/dl/<token>/<timestamp-in-hex>/file.zip

Make sure /home/lighttpd/download-area/ directory exists:
# mkdir -p /home/lighttpd/download-area/
# chown lighttpd:lighttpd /home/lighttpd/download-area/

Configuration

Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following configuration:

secdownload.secret          = "MySecretSecurePassword"
secdownload.document-root   = "/home/lighttpd/download-area/"
secdownload.uri-prefix      = "/dl/"
secdownload.timeout         = 3600

Where.

  • secdownload.secret : Your password; it must not be shared with anyone else
  • secdownload.document-root : Download file system location, must be outside domain webroot / documentroot
  • secdownload.uri-prefix : url prefix such as /dl/ or /download/
  • secdownload.timeout : Set timeout for each unique url in seconds

Save and close the file. Restart lighttpd:
# service lighttpd restart

Sample PHP Download Script

<?php
$secret = "MySecretSecurePassword";
$uri_prefix = "/dl/";
 
# set filename
$f = "/file.zip";
 
# set current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);
# finally generate link and display back on screen
printf('<a href="http://www.cyberciti.biz/">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);
?>

410 Gone HTTP Error Code

After timeout; unique url will be gone and end user will get 410 http status code. It indicates that the resource requested is no longer available and will not be available again. So if anybody deeplinked or hotlinked your content it will be gone after timeout.

Further readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 3 comments… read them below or add one }

1 Si_4&a$=( April 20, 2008 at 5:01 am

thanks for tutorial

you need to add
server.modules = ( …, “mod_secdownload”, … )
in conf file too.

Reply

2 Vicent González i Castells July 27, 2009 at 11:30 pm

Thanks for information.

A fix in PHP script.

The next line doesn’t show url correctly.

printf('<a href="http://www.cyberciti.biz/" rel="nofollow">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);

This line fix the issue.

printf('<a href="%s%s/%s%s" rel="nofollow">%s</a>', $uri_prefix, $m, $t_hex, $f, $f);

Reply

3 bigie November 28, 2009 at 4:55 am

it did’t work for me, btw where should i put php download file???

thank’s

Reply

Leave a Comment

Tagged as: , , , , , , ,

Previous post:

Next post: