Files stored on a different server - Protect with ngx_http_secure_link_module

[mostym]

I currently have a bunch of files stored on a file server and I have them stored in e107 as a direct download with referral blocking. The problem with that is that the referral can be easily spoofed, I'm looking for more security for the downloads.

Thanks!

[Deltik]

See my comment below for updated documentation.

@BigBoiJefe: I have a proposed fix for this issue.

Using the patch file

Here is a patch that you can try: fix-3075.patch.txt

To apply the patch, run the following commands:

cd /path/to/e107 # where /path/to/e107 is where your installation of e107 is
wget https://github.com/e107inc/e107/files/1960370/fix-3075.patch.txt -O fix-3075.patch
patch -p 1 < fix-3075.patch

To roll back the patch, run this command:

patch -p 1 -R < fix-3075.patch

To remove the patch file, run this command:

rm -fv fix-3075.patch

Using the proposed fix

Configure your NGINX download server

Set up your NGINX download location config with secure_link_md5 to protect your downloads. For an example of how to do this, see the Using Secured URLs that Expire section of this blog post from NGINX.

This is a sample secure_link_md5 expression:

$secure_link_expires$uri$remote_addr secret

• $secure_link_expires enables the expiration of links generated by the e107 Downloads plugin.
• $uri matches the download path intended to be protected.
• $remote_addr ensures that only the client's IP address may be used to download the file.
• secret is a string known only to e107 and your NGINX config so that your users/downloaders cannot generate their own secure links.

Configure e107

1. Navigate to /e107_plugins/download/admin_download.php?mode=main&action=settings in your web browser.
2. Click on the Protection tab.
3. Select NGINX secure_link_md5 as the URL protection mode
4. Type in your secure_link_md5 expression into the NGINX secure_link_md5 expression field.
5. In the Duration of validity in seconds field, enter a whole number for how long in seconds you want each generated download link to live after the link is generated.
6. Click the green Update Options button.

Now, all downloads will have md5 appended as a query parameter, generated from the expression you put in. If the expression contains $secure_link_expires, expires will be appended as a query parameter as well.

[Deltik]

See my comment below for updated documentation.

After working with @BigBoiJefe to resolve bugs with the implementation, I've written some updated documentation of the new feature:

Updated Documentation

Configure e107

Ideally, both e107 and NGINX should be configured at the exact same time, but e107 may be configured first because doing so would minimize the chance of disruption to downloaders, since the NGINX secure_link_md5 URL protection mode merely appends query string arguments to the download URL.

1. Navigate to /e107_plugins/download/admin_download.php?mode=main&action=settings in your web browser.
2. Click on the Protection tab.
3. Select NGINX secure_link_md5 as the URL protection mode
4. Type in your secure_link_md5 expression into the NGINX secure_link_md5 expression field.
5. In the Duration of validity in seconds field, enter a whole number for how long in seconds you want each generated download link to live after the link is generated.
6. Click the green Update Options button.

Now, all downloads will have md5 appended as a query parameter, generated from the expression you put in. If the expression contains $secure_link_expires, expires will be appended as a query parameter as well.

Configure your NGINX download server

Set up your NGINX download location config with secure_link_md5 to protect your downloads. For an example of how to do this, see the Using Secured URLs that Expire section of this blog post from NGINX.

This is a sample secure_link_md5 expression:

$secure_link_expires$uri$remote_addr secret

• $secure_link_expires enables the expiration of links generated by the e107 Downloads plugin.
• $uri matches the download path intended to be protected.
• $remote_addr ensures that only the client's IP address may be used to download the file.
• secret is a string known only to e107 and your NGINX config so that your users/downloaders cannot generate their own secure links.

If your secure_link_md5 expression contains $secure_link_expires, the secure_link directive should read secure_link $arg_md5,$arg_expires; like in this example server block:

server {
    listen 80;
        server_name secure-link-demo;

        location /files {
            root /var/www;
            secure_link $arg_md5,$arg_expires;
            secure_link_md5 "$secure_link_expires$uri$remote_addr secret";

            if ($secure_link = "") { return 403; }
            if ($secure_link = "0") { return 410; }
        }
}

If your secure_link_md5 expression does not contain $secure_link_expires, the secure_link directive should read secure_link $arg_md5; like in this example server block:

server {
    listen 80;
        server_name secure-link-demo;

        location /files {
            root /var/www;
            secure_link $arg_md5;
            secure_link_md5 "$uri$remote_addr secret";

            if ($secure_link = "") { return 403; }
        }
}

[Deltik]

Updated documentation with NGINX $host variable support can be found in #4011.