Rewrite module and secure download

trinsic · December 19, 2009, 3:25pm

Hi guys, having a bit of a pickle at the moment. I’ve set up the secure
download module and its working as it should. The problem is when you
try to use it, it appends the file name as the hex timestamp (without an
extension) which is at the end of the URI which isn’t the ideal way of
downloading things. So I tried using the rewrite module to move the file
name to the end of the link.

E.g
/save/dir/6450.png/097ac16cb19ff6c163d6f813fdd44b4d/4b283bfa
(works but downloads as 4b28264c instead of 6450.png)

The way the module works: < real path >/< file >/< md5 >/< timestamp >
The way I want it is: < real path >/< md5 >/< timestamp >/< file >

So in comes the rewrite rule. My new links look like:
/file/097ac16cb19ff6c163d6f813fdd44b4d/4b283bfa/dir/6450.png

I have moved the < md5 >/< timestamp > in front of the < file > in hopes
it would now save the file name properly with its extension. My config
is below:

location / {
rewrite /file/(.)/(.)/(.)/(.)$ /save/$3/$4/$1/$2 break;
}

location /save {
root /var/www/html/files/12-2009;
secure_download on;
secure_download_secret mypass;
secure_download_path_mode file;
secure_download_fail_location /error;

add_header Content-Disposition attachment;

}

As you can see the rewrite rule converts the link back to what it should
be. That is it moves the < md5 >/< timestamp > to the end of the URI
again and changes /file/ back to /save/. Except it now throws a 404
error. Looking in the debug error log it throws out this:

31949#0: 1 "/file/(.)/(.)/(.)/(.*)$" matches
“/file/097ac16cb19ff6c163d6f813fdd44b4d/4b283bfa/dir/6450.png”
31949#0: *1 rewritten data:
“/save/dir/6450.png/097ac16cb19ff6c163d6f813fdd44b4d/4b283bfa”
31949#0: *1 open()
“/var/www/html/save/dir/6450.png/097ac16cb19ff6c163d6f813fdd44b4d/4b283bfa”
failed (2: No such file or directory)

Pretty much the rewrite rule is converting it exactly as it should be:
(line 2 of log)
/save/dir/6450.png/097ac16cb19ff6c163d6f813fdd44b4d/4b283bfa
(< real path >/< file >/< md5 >/< timestamp >)

But where is the secure download module? It hasn’t popped up and done
its business with the link. Instead line 3 of the log shows it trying to
open the link when it should do this:

8156#0: *3 securedownload: evaluated value of secret: “mypass”
8156#0: *3 hashing string “/save/dir/6450.png/mypass/4b283bfa” with len
50
8156#0: *3 computed hash: 097ac16cb19ff6c163d6f813fdd44b4d

Its apparent the rewrite module and the secure download module wont work
together. What can I do to fix this?

I am currently using lighttpd and the modsecdownload module which this
nginx module is based off, the only real difference is that the lighttpd
module does all the above already (< real path >/< md5 >/< timestamp >/<
file >) so it saves the file properly.

Hopefully I didn’t miss anything out, any help is much appreciated!

Posted at Nginx Forum:

trinsic · January 14, 2010, 2:29pm

I stumbled upon the exact same problem today while moving our site from
Lighttpd to nginx.

This is how we solved it:

Link to our protected files look like this:

/pdf/number.pdf/MD5_hash/hex_of_timestamp

and this is our location directive:

    # PDF download
    location /pdf {
        secure_download on;
        secure_download_secret $request_addr;
        secure_download_path_mode file;

        if ($uri ~ "^/pdf/(.+\.pdf)$") {
            set $filename $1;
        }
        add_header Content-Disposition "attachment;

filename=$filename";
}

As you can see from the example we are extracting the filename from the
request uri and setting the appropriate header.

Posted at Nginx Forum:

trinsic · December 19, 2009, 3:25pm

Hello!

On Tue, Dec 15, 2009 at 11:42:18PM -0500, trinsic wrote:

Hi guys, having a bit of a pickle at the moment. I’ve set up the secure download module and its working as it should. The problem is when you try to use it, it appends the file name as the hex timestamp (without an extension) which is at the end of the URI which isn’t the ideal way of downloading things. So I tried using the rewrite module to move the file name to the end of the link.

[…]

But where is the secure download module? It hasn’t popped up and done its business with the link. Instead line 3 of the log shows it trying to open the link when it should do this:

8156#0: *3 securedownload: evaluated value of secret: “mypass”
8156#0: *3 hashing string “/save/dir/6450.png/mypass/4b283bfa” with len 50
8156#0: *3 computed hash: 097ac16cb19ff6c163d6f813fdd44b4d

Its apparent the rewrite module and the secure download module wont work together. What can I do to fix this?

Apparently it’s problem in secure download module. Have you tried
standart secure link module instead?

http://wiki.nginx.org/NginxHttpSecureLinkModule

Maxim D.

trinsic · March 31, 2010, 1:44pm

Interesting post dude…discussion are always helpful in one way or the
other. Thanks for giving out information. Itâ€™s really nice and mean
full.

Posted at Nginx Forum: