| blob | 216299835e56c5bc34e70d19af2c35b78e2ae25b |
1 ===========================
2 Secure and Fast Downloading
3 ===========================
5 -----------------------
6 Module: mod_secdownload
7 -----------------------
9 :Author: Jan Kneschke
10 :Date: $Date: 2004/08/01 07:01:29 $
11 :Revision: $Revision: 1.1 $
13 :abstract:
14 authenticated file requests and a countermeasure against
15 deep-linking can be achieved easily by using mod_secdownload
17 .. meta::
18 :keywords: lighttpd, secure, fast, downloads
20 .. contents:: Table of Contents
22 Options
23 =======
25 ::
27 secdownload.secret = <string>
28 secdownload.document-root = <string>
29 secdownload.uri-prefix = <string> (default: /)
30 secdownload.timeout = <short> (default: 60 seconds)
32 Description
33 ===========
35 there are multiple ways to handle secured download mechanisms:
37 1. use the webserver and the internal HTTP authentication
38 2. use the application to authenticate and send the file
39 through the application
41 Both ways have limitations:
43 webserver:
45 - ``+`` fast download
46 - ``+`` no additional system load
47 - ``-`` inflexible authentication handling
49 application:
51 - ``+`` integrated into the overall layout
52 - ``+`` very flexible permission management
53 - ``-`` the download occupies an application thread/process
55 A simple way to combine the two ways could be:
57 1. app authenticates user and checks permissions to
58 download the file.
59 2. app redirects user to the file accessable by the webserver
60 for further downloading.
61 3. the webserver transfers the file to the user.
63 As the webserver doesn't know anything about the permissions
64 used in the app, the resulting URL would be available to every
65 user who knows the URL.
67 mod_secdownload removes this problem by introducing a way to
68 authenticate a URL for a specified time. The application has
69 to generate a token and a timestamp which are checked by the
70 webserver before it allows the file to be downloaded by the
71 webserver.
73 The generated URL has to have the format:
75 <uri-prefix><token>/<timestamp-in-hex><rel-path>
77 <token> is an MD5 of
79 1. a secret string (user supplied)
80 2. <rel-path> (starts with /)
81 3. <timestamp-in-hex>
84 As you can see, the token is not bound to the user at all. The
85 only limiting factor is the timestamp which is used to
86 invalidate the URL after a given timeout (secdownload.timeout).
88 .. Note::
89 Be sure to choose a another secret than the one used in the
90 examples, as this is the only part of the token that is not
91 known to the user.
95 If the user tries to fake the URL by choosing a random token,
96 status 403 'Forbidden' will be sent out.
98 If the timeout is reached, status 408 'Request Timeout' will be
99 sent. (This does not really conform to the standard, but should
100 do the trick).
102 If token and timeout are valid, the <rel-path> is appended to
103 the configured (secdownload.document-root) and passed to the
104 normal internal file transfer functionality. This might lead to
105 status 200 or 404.
107 Example
108 =======
110 Application
111 -----------
113 Your application has to generate the correct URLs. The following sample
114 code for PHP should be easily adaptable to any other language: ::
116 <?php
118 $secret = "verysecret";
119 $uri_prefix = "/dl/";
121 # filename
122 $f = "/secret-file.txt";
124 # current timestamp
125 $t = time();
127 $t_hex = sprintf("%08x", $t);
128 $m = md5($secret.$f.$t_hex);
130 # generate link
131 printf('<a href="%s%s/%s%s">%s</a>',
132 $uri_prefix, $m, $t_hex, $f, $f);
133 ?>
135 Webserver
136 ---------
138 The server has to be configured in the same way. The URI prefix and
139 secret have to match: ::
141 server.modules = ( ..., "mod_secdownload", ... )
143 secdownload.secret = "verysecret"
144 secdownload.document-root = "/home/www/servers/download-area/"
145 secdownload.uri-prefix = "/dl/"
146 secdownload.timeout = 120
147 secdownload.algorithm = "md5"