New on LowEndTalk? Please Register and read our Community Rules.
Restrict access to a URL with nginx
edited February 2012 in Help
Ill be launching a rewards system on my forum where they can convert points for downloading my (self-authored) custom wordpress plugins. I am thinking of a way to hide the link of the files but I really have no idea how to do that.
For those still lost on the idea, it's like a file host (like hotfile) providing "premium link" where only this premium user can use that link. Yes, I tried http://wiki.nginx.org/HttpRefererModule but they can just edit the referer and download the file. Im thinking of maybe locking the url to someone with a cookie (+ his IP) but I have really no idea how [I still want to allow concurrent connections btw]
Check out my advice here - it should at the very least get you on the right track. Instead of checking the token to see if they should be able to download the file, check whether they're a "premium user" or if they have enough points (I assume you're storing this information in a database and have some kind of user account system or something), or whatever other criteria you want to use.
I will try this I actually never thought about rewrites Thanks!!
I hope it's easy on nginx... Hmmm.. Im just curious if the correct filename be passed upon the request? Will it still be wp_plugin.zip not download.php?
This module enables you to create links which are only valid until a certain datetime is reached. The way it works is similar to lightttpd's mod_secdownload, but not exactly same.
You create a temporary link for the user and give them a 30minute time frame to download the file.
You rewrite yoursite.com/downloads/wp_plugin.zip to something like yoursite.com/download.php?filename=wp_plugin.zip, then wp_plugin.zip is stored in the PHP variable $_GET['filename']. You'd use $_GET['filename'] to find the correct file and serve it using the PHP readfile() function.
@yowmamasita the httpsecuredownload has two components, the timeframe aspect and the possibilty to set a hash based on the users ip.
Thus it should give you at least a decent level of security, less the user shares both the unique url and his IP to other users.
Just serve it through PHP? Then you can do the appropriate permission checks, stats logging and so on.
Read up on content-disposition to control the filename which gets sent to the browser.
this is what im worried about. most of them connects through a free local vpn that is quite popular here