mod_secdownload – Lighttpd Create Secure Download Area with Unique Download URL

Lighttpd handle secured download mechanisms using mod_secdownload modules. It uses the lighttpd webserver and the internal HTTP authentication using secrete password. This module use the concept called authenticated URL for a specified time. Each unique url remains valid for a specified time.

ADVERTISEMENTS

Your application has to generate a token and a timestamp which are checked by the webserver before it allows the file to be downloaded by the webserver.

URL Format

The generated URL has to have the format:

<uri-prefix>/<token>/<timestamp-in-hex>/<rel-path>

Which looks like
http://theos.in/dl/6262df3adba2bc85846e05440fcc3895/4804f986/file.zip

is an MD5 of

  • a secret string (user supplied)
  • <rel-path> (starts with /)
  • <timestamp-in-hex>

Understanding filesystem layout

  • Domain name: theos.in
  • Webroot : /home/lighttpd/theos.in/http/
  • Download location : /home/lighttpd/download-area/ (you must upload all download files here)
  • Download url : http://theos.in/dl/<token>/<timestamp-in-hex>/file.zip

Make sure /home/lighttpd/download-area/ directory exists:
# mkdir -p /home/lighttpd/download-area/
# chown lighttpd:lighttpd /home/lighttpd/download-area/

Configuration

Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following configuration:

secdownload.secret          = "MySecretSecurePassword"
secdownload.document-root   = "/home/lighttpd/download-area/"
secdownload.uri-prefix      = "/dl/"
secdownload.timeout         = 3600

Where.

  • secdownload.secret : Your password; it must not be shared with anyone else
  • secdownload.document-root : Download file system location, must be outside domain webroot / documentroot
  • secdownload.uri-prefix : url prefix such as /dl/ or /download/
  • secdownload.timeout : Set timeout for each unique url in seconds

Save and close the file. Restart lighttpd:
# service lighttpd restart

Sample PHP Download Script

<?php
$secret = "MySecretSecurePassword";
$uri_prefix = "/dl/";
 
# set filename
$f = "/file.zip";
 
# set current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);
# finally generate link and display back on screen
printf('<a href="//www.cyberciti.biz/">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);
?>

410 Gone HTTP Error Code

After timeout; unique url will be gone and end user will get 410 http status code. It indicates that the resource requested is no longer available and will not be available again. So if anybody deeplinked or hotlinked your content it will be gone after timeout.

Further readings:

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
3 comments… add one
  • Si_4&a$=( Apr 20, 2008 @ 5:01

    thanks for tutorial

    you need to add
    server.modules = ( …, “mod_secdownload”, … )
    in conf file too.

  • Vicent González i Castells Jul 27, 2009 @ 23:30

    Thanks for information.

    A fix in PHP script.

    The next line doesn’t show url correctly.

    printf('<a href="http://www.cyberciti.biz/" rel="nofollow">%s</a>',$uri_prefix, $m, $t_hex, $f, $f);

    This line fix the issue.

    printf('<a href="%s%s/%s%s" rel="nofollow">%s</a>', $uri_prefix, $m, $t_hex, $f, $f);
  • bigie Nov 28, 2009 @ 4:55

    it did’t work for me, btw where should i put php download file???

    thank’s

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.