Lighttpd handle secured download mechanisms using mod_secdownload modules. It uses the lighttpd webserver and the internal HTTP authentication using secrete password. This module use the concept called authenticated URL for a specified time. Each unique url remains valid for a specified time.

Advertisement

Your application has to generate a token and a timestamp which are checked by the webserver before it allows the file to be downloaded by the webserver.

URL Format

The generated URL has to have the format:

<uri-prefix>/<token>/<timestamp-in-hex>/<rel-path>

Which looks like
http://theos.in/dl/6262df3adba2bc85846e05440fcc3895/4804f986/file.zip

is an MD5 of

  • a secret string (user supplied)
  • <rel-path> (starts with /)
  • <timestamp-in-hex>

Understanding filesystem layout

  • Domain name: theos.in
  • Webroot : /home/lighttpd/theos.in/http/
  • Download location : /home/lighttpd/download-area/ (you must upload all download files here)
  • Download url : http://theos.in/dl/<token>/<timestamp-in-hex>/file.zip

Make sure /home/lighttpd/download-area/ directory exists:
# mkdir -p /home/lighttpd/download-area/
# chown lighttpd:lighttpd /home/lighttpd/download-area/

Configuration

Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following configuration:

secdownload.secret          = "MySecretSecurePassword"
secdownload.document-root   = "/home/lighttpd/download-area/"
secdownload.uri-prefix      = "/dl/"
secdownload.timeout         = 3600

Where.

  • secdownload.secret : Your password; it must not be shared with anyone else
  • secdownload.document-root : Download file system location, must be outside domain webroot / documentroot
  • secdownload.uri-prefix : url prefix such as /dl/ or /download/
  • secdownload.timeout : Set timeout for each unique url in seconds

Save and close the file. Restart lighttpd:
# service lighttpd restart

Sample PHP Download Script

<?php
$secret = "MySecretSecurePassword";
$uri_prefix = "/dl/";
 
# set filename
$f = "/file.zip";
 
# set current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);
# finally generate link and display back on screen
printf('<a href="//www.cyberciti.biz/">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);
?>

410 Gone HTTP Error Code

After timeout; unique url will be gone and end user will get 410 http status code. It indicates that the resource requested is no longer available and will not be available again. So if anybody deeplinked or hotlinked your content it will be gone after timeout.

Further readings:

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

3 comments… add one
  • Si_4&a$=( Apr 20, 2008 @ 5:01

    thanks for tutorial

    you need to add
    server.modules = ( …, “mod_secdownload”, … )
    in conf file too.

  • Vicent González i Castells Jul 27, 2009 @ 23:30

    Thanks for information.

    A fix in PHP script.

    The next line doesn’t show url correctly.

    printf('<a href="http://www.cyberciti.biz/" rel="nofollow">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);

    This line fix the issue.

    printf('<a href="%s%s/%s%s" rel="nofollow">%s</a>', $uri_prefix, $m, $t_hex, $f, $f);
  • bigie Nov 28, 2009 @ 4:55

    it did’t work for me, btw where should i put php download file???

    thank’s

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.