≡ Menu


mod_secdownload – Lighttpd Create Secure Download Area with Unique Download URL

Lighttpd handle secured download mechanisms using mod_secdownload modules. It uses the lighttpd webserver and the internal HTTP authentication using secrete password. This module use the concept called authenticated URL for a specified time. Each unique url remains valid for a specified time.

Your application has to generate a token and a timestamp which are checked by the webserver before it allows the file to be downloaded by the webserver.

URL Format

The generated URL has to have the format:


Which looks like

is an MD5 of

  • a secret string (user supplied)
  • <rel-path> (starts with /)
  • <timestamp-in-hex>

Understanding filesystem layout

  • Domain name: theos.in
  • Webroot : /home/lighttpd/theos.in/http/
  • Download location : /home/lighttpd/download-area/ (you must upload all download files here)
  • Download url : http://theos.in/dl/<token>/<timestamp-in-hex>/file.zip

Make sure /home/lighttpd/download-area/ directory exists:
# mkdir -p /home/lighttpd/download-area/
# chown lighttpd:lighttpd /home/lighttpd/download-area/


Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following configuration:

secdownload.secret          = "MySecretSecurePassword"
secdownload.document-root   = "/home/lighttpd/download-area/"
secdownload.uri-prefix      = "/dl/"
secdownload.timeout         = 3600


  • secdownload.secret : Your password; it must not be shared with anyone else
  • secdownload.document-root : Download file system location, must be outside domain webroot / documentroot
  • secdownload.uri-prefix : url prefix such as /dl/ or /download/
  • secdownload.timeout : Set timeout for each unique url in seconds

Save and close the file. Restart lighttpd:
# service lighttpd restart

Sample PHP Download Script

$secret = "MySecretSecurePassword";
$uri_prefix = "/dl/";
# set filename
$f = "/file.zip";
# set current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);
# finally generate link and display back on screen
printf('<a href="http://www.cyberciti.biz/">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);

410 Gone HTTP Error Code

After timeout; unique url will be gone and end user will get 410 http status code. It indicates that the resource requested is no longer available and will not be available again. So if anybody deeplinked or hotlinked your content it will be gone after timeout.

Further readings:

Howto: Verify integrity of the tar balls or source code

Verifying integrity of the tar balls or source code is an essential step, which makes sure that you are going to use guanine software (also know as checksum). Every Linux or UNIX admin should be aware of this test. However, what is a checksum? A checksum is a form of a very simple measure for protecting the integrity of data from both hackers (read as crackers) and data transmission error over network i.e. make sure no one has tampered with a source file (see checksum @ wikipedia) For file verification, use any one of the following command:

  1. sha1sum - check SHA1 (160-bit) checksums
  2. md5sum - check MD5 (128-bit) checksums
  3. gpg - Use to validate a GPG certificate

Therefore, whenever you visit source-code download site, you will come across md5sum, sha1sum, or gpg signature keys listed. Following is general syntax to verify keys with different commands:

  • sha1sum {source-code-file-name}
  • md5sum {source-code-file-name}
  • gpg --verify {source-code-file-name.sig} {source-code-file-name}

Examples ~ sure, without examples no one able to grasp the idea:

How To Verify Integrity of The Tar Balls With md5sum Command

md5sum command is use to check or print MD5 (128-bit) checksums. For example purpose download your favorite Linux distribution from Linux distribution web site / project site. Now you will need to to check md5sum on a Linux ISO file.

1) Download Debian linux # 1 ISO please note down md5sum listed next to each ISO file with the help of wget command:
$ wget http://someproject.org/path/to/isofile.iso

2) Verify integrity of a Linux iso:
$ md5sum isofile.iso

a0b162e26281ef097ee8b39b8690a8c2 isofile.iso

Compare output (a0b162e26281ef097ee8b39b8690a8c2) with key listed online at linuxiso.org's site.

You can read MD5 sums from the FILEs and check them:
$ md5sum -c xcache-1.2.2.tar.gz.md5.txt
Sample output:

xcache-1.2.2.tar.gz: OK

Online References: