≡ Menu

mod_secdownload – Lighttpd Create Secure Download Area with Unique Download URL

Lighttpd handle secured download mechanisms using mod_secdownload modules. It uses the lighttpd webserver and the internal HTTP authentication using secrete password. This module use the concept called authenticated URL for a specified time. Each unique url remains valid for a specified time.

Your application has to generate a token and a timestamp which are checked by the webserver before it allows the file to be downloaded by the webserver.

URL Format

The generated URL has to have the format:


Which looks like

is an MD5 of

  • a secret string (user supplied)
  • <rel-path> (starts with /)
  • <timestamp-in-hex>

Understanding filesystem layout

  • Domain name: theos.in
  • Webroot : /home/lighttpd/theos.in/http/
  • Download location : /home/lighttpd/download-area/ (you must upload all download files here)
  • Download url : http://theos.in/dl/<token>/<timestamp-in-hex>/file.zip

Make sure /home/lighttpd/download-area/ directory exists:
# mkdir -p /home/lighttpd/download-area/
# chown lighttpd:lighttpd /home/lighttpd/download-area/


Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following configuration:

secdownload.secret          = "MySecretSecurePassword"
secdownload.document-root   = "/home/lighttpd/download-area/"
secdownload.uri-prefix      = "/dl/"
secdownload.timeout         = 3600


  • secdownload.secret : Your password; it must not be shared with anyone else
  • secdownload.document-root : Download file system location, must be outside domain webroot / documentroot
  • secdownload.uri-prefix : url prefix such as /dl/ or /download/
  • secdownload.timeout : Set timeout for each unique url in seconds

Save and close the file. Restart lighttpd:
# service lighttpd restart

Sample PHP Download Script

$secret = "MySecretSecurePassword";
$uri_prefix = "/dl/";
# set filename
$f = "/file.zip";
# set current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);
# finally generate link and display back on screen
printf('<a href="http://www.cyberciti.biz/">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);

410 Gone HTTP Error Code

After timeout; unique url will be gone and end user will get 410 http status code. It indicates that the resource requested is no longer available and will not be available again. So if anybody deeplinked or hotlinked your content it will be gone after timeout.

Further readings:

Share this on:

{ 3 comments… add one }

  • Si_4&a$=( April 20, 2008, 5:01 am

    thanks for tutorial

    you need to add
    server.modules = ( …, “mod_secdownload”, … )
    in conf file too.

  • Vicent González i Castells July 27, 2009, 11:30 pm

    Thanks for information.

    A fix in PHP script.

    The next line doesn’t show url correctly.

    printf('<a href="http://www.cyberciti.biz/" rel="nofollow">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);

    This line fix the issue.

    printf('<a href="%s%s/%s%s" rel="nofollow">%s</a>', $uri_prefix, $m, $t_hex, $f, $f);
  • bigie November 28, 2009, 4:55 am

    it did’t work for me, btw where should i put php download file???


Leave a Comment

   Tagged with: , , , , , , ,