2011年2月23日星期三

Re: Migrating from Lighttpd : mod_secdownload show-stopper ?

On Tue, Feb 22, 2011 at 12:20:20PM +0000, Francis Daly wrote:
> On Tue, Feb 22, 2011 at 05:03:00AM -0500, thoseg wrote:

Hi there,

> > I have some (strong) requirements like to not modify the application
> > code

> > Secured link :
> > http://secure.domain.com/get/24b9cb61c9c2c9070038aceaaf7bae5a/4d63842e/2/H264-384x288/04/85/3120485.h264

> To use the vanilla nginx http_secure_link_module, your old links will
> be broken, and you'll have to change the application's code.

As was suggested earlier in the thread, you *could* preserve the lighttpd
interface by scripting, while waiting for / working on a mod_secdownload
equivalent in nginx.

One (rushed) version in php is included below. Do read it carefully and
check for unexpected results (do you know what happens when the string
given to hexdec() is rather long?) before testing whether the system
performance is adequate in your proposed new environment.

The nginx.conf section is something like

===
location /get/ {
location ~ /get/[0-9a-f]+/[0-9a-f]+/ {
fastcgi_pass unix:php.sock;
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME /mnt/medias/secure_get;
}
location /get/secured/ {
internal;
alias /mnt/medias/;
}
return 404;
}
===

(spot the bits you need to change)

and the secure_get script is similar to

===
<?php
# migrate from lighttpd/mod_secdownload
# I care about parts 2, 3, and remains of REQUEST_URI.
# $_SERVER['REQUEST_URI'] = '/get/md5sum_hex/expires_hex/dir/and/file/name.ext

# This is the secret used to generate the link in the first place
$secret = "secret";

list( $x, $x, $hash, $time, $file ) = explode( '/', $_SERVER['REQUEST_URI'], 5 );
$file = '/' . $file;
$check = md5("${file}.${time}.${secret}");
$expires = hexdec($time);

if ($check != $hash) {
# hash is wrong
header("HTTP/1.0 403 Forbidden");
# add your preferred html body here
} elseif ($expires < $_SERVER['REQUEST_TIME']) {
# hash is right, but time is past
header("HTTP/1.0 410 Gone");
# add your preferred html body here
} else {
# hash is right and time is ok
header("X-Accel-Redirect: /get/secured${file}");
}
?>
===

Good luck with it,

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

没有评论:

发表评论