Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Restrict access to a URL with nginx
New on LowEndTalk? Please Register and read our Community Rules.

Restrict access to a URL with nginx

yowmamasitayowmamasita Member
edited February 2012 in Help

Ill be launching a rewards system on my forum where they can convert points for downloading my (self-authored) custom wordpress plugins. I am thinking of a way to hide the link of the files but I really have no idea how to do that.

For those still lost on the idea, it's like a file host (like hotfile) providing "premium link" where only this premium user can use that link. Yes, I tried http://wiki.nginx.org/HttpRefererModule but they can just edit the referer and download the file. Im thinking of maybe locking the url to someone with a cookie (+ his IP) but I have really no idea how [I still want to allow concurrent connections btw]

Thanks LET~

Comments

  • NickMNickM Member
    edited February 2012

    Check out my advice here - it should at the very least get you on the right track. Instead of checking the token to see if they should be able to download the file, check whether they're a "premium user" or if they have enough points (I assume you're storing this information in a database and have some kind of user account system or something), or whatever other criteria you want to use.

    Thanked by 1yowmamasita
  • yowmamasitayowmamasita Member

    @NickM said: Check out my advice here - it should at the very least get you on the right track. Instead of checking the token to see if they should be able to download the file, check whether they're a "premium user" or if they have enough points, or whatever other criteria you want to use.

    I will try this :) I actually never thought about rewrites :) Thanks!!

    I hope it's easy on nginx... Hmmm.. Im just curious if the correct filename be passed upon the request? Will it still be wp_plugin.zip not download.php?

  • DerekDerek Member

    Link this,

    http://wiki.nginx.org/HttpSecureDownload

    This module enables you to create links which are only valid until a certain datetime is reached. The way it works is similar to lightttpd's mod_secdownload, but not exactly same.

    You create a temporary link for the user and give them a 30minute time frame to download the file.

    Thanked by 1yowmamasita
  • NickMNickM Member

    @yowmamasita said: I hope it's easy on nginx... Hmmm.. Im just curious if the correct filename be passed upon the request? Will it still be wp_plugin.zip not download.php?

    You rewrite yoursite.com/downloads/wp_plugin.zip to something like yoursite.com/download.php?filename=wp_plugin.zip, then wp_plugin.zip is stored in the PHP variable $_GET['filename']. You'd use $_GET['filename'] to find the correct file and serve it using the PHP readfile() function.

    Thanked by 1yowmamasita
  • johannesjohannes Member

    @yowmamasita the httpsecuredownload has two components, the timeframe aspect and the possibilty to set a hash based on the users ip.

    Thus it should give you at least a decent level of security, less the user shares both the unique url and his IP to other users.

    Thanked by 1yowmamasita
  • RophRoph Member

    Just serve it through PHP? Then you can do the appropriate permission checks, stats logging and so on.

    Read up on content-disposition to control the filename which gets sent to the browser.

    Thanked by 1yowmamasita
  • yowmamasitayowmamasita Member

    @johannes said: Thus it should give you at least a decent level of security, less the user shares both the unique url and his IP to other users.

    this is what im worried about. most of them connects through a free local vpn that is quite popular here

Sign In or Register to comment.