New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Files stored on a different server - Protect with ngx_http_secure_link_module #3075

Closed
BigBoiJefe opened this Issue Mar 14, 2018 · 2 comments

Comments

2 participants
@BigBoiJefe

BigBoiJefe commented Mar 14, 2018

I currently have a bunch of files stored on a file server and I have them stored in e107 as a direct download with referral blocking. The problem with that is that the referral can be easily spoofed, I'm looking for more security for the downloads.

Thanks!

Deltik added a commit to Deltik/e107 that referenced this issue Apr 30, 2018

Downloads: Basic support for NGINX secure_link_md5
- NEW: "Protection" section in Downloads >> Preferences
- NEW: Basic support for NGINX secure_link_md5 in Downloads plugin
- NEW: When configured with a URL protection mode, Downloads will
       modify the direct download URL and/or the mirror download URL
       to be compatible with the implemented URL protection

Fixes: e107inc#3075
@Deltik

This comment has been minimized.

Contributor

Deltik commented Apr 30, 2018

See my comment below for updated documentation.

@BigBoiJefe: I have a proposed fix for this issue.

Using the patch file

Here is a patch that you can try: fix-3075.patch.txt

To apply the patch, run the following commands:

cd /path/to/e107 # where /path/to/e107 is where your installation of e107 is
wget https://github.com/e107inc/e107/files/1960370/fix-3075.patch.txt -O fix-3075.patch
patch -p 1 < fix-3075.patch

To roll back the patch, run this command:

patch -p 1 -R < fix-3075.patch

To remove the patch file, run this command:

rm -fv fix-3075.patch

Using the proposed fix

Configure your NGINX download server

Set up your NGINX download location config with secure_link_md5 to protect your downloads. For an example of how to do this, see the Using Secured URLs that Expire section of this blog post from NGINX.

This is a sample secure_link_md5 expression:

$secure_link_expires$uri$remote_addr secret
  • $secure_link_expires enables the expiration of links generated by the e107 Downloads plugin.
  • $uri matches the download path intended to be protected.
  • $remote_addr ensures that only the client's IP address may be used to download the file.
  • secret is a string known only to e107 and your NGINX config so that your users/downloaders cannot generate their own secure links.

Configure e107

  1. Navigate to /e107_plugins/download/admin_download.php?mode=main&action=settings in your web browser.
  2. Click on the Protection tab.
  3. Select NGINX secure_link_md5 as the URL protection mode
  4. Type in your secure_link_md5 expression into the NGINX secure_link_md5 expression field.
  5. In the Duration of validity in seconds field, enter a whole number for how long in seconds you want each generated download link to live after the link is generated.
  6. Click the green Update Options button.

Now, all downloads will have md5 appended as a query parameter, generated from the expression you put in. If the expression contains $secure_link_expires, expires will be appended as a query parameter as well.

@Deltik

This comment has been minimized.

Contributor

Deltik commented May 1, 2018

After working with @BigBoiJefe to resolve bugs with the implementation, I've written some updated documentation of the new feature:

Updated Documentation

Configure e107

Ideally, both e107 and NGINX should be configured at the exact same time, but e107 may be configured first because doing so would minimize the chance of disruption to downloaders, since the NGINX secure_link_md5 URL protection mode merely appends query string arguments to the download URL.

  1. Navigate to /e107_plugins/download/admin_download.php?mode=main&action=settings in your web browser.
  2. Click on the Protection tab.
  3. Select NGINX secure_link_md5 as the URL protection mode
  4. Type in your secure_link_md5 expression into the NGINX secure_link_md5 expression field.
  5. In the Duration of validity in seconds field, enter a whole number for how long in seconds you want each generated download link to live after the link is generated.
  6. Click the green Update Options button.

Now, all downloads will have md5 appended as a query parameter, generated from the expression you put in. If the expression contains $secure_link_expires, expires will be appended as a query parameter as well.

Configure your NGINX download server

Set up your NGINX download location config with secure_link_md5 to protect your downloads. For an example of how to do this, see the Using Secured URLs that Expire section of this blog post from NGINX.

This is a sample secure_link_md5 expression:

$secure_link_expires$uri$remote_addr secret
  • $secure_link_expires enables the expiration of links generated by the e107 Downloads plugin.
  • $uri matches the download path intended to be protected.
  • $remote_addr ensures that only the client's IP address may be used to download the file.
  • secret is a string known only to e107 and your NGINX config so that your users/downloaders cannot generate their own secure links.

If your secure_link_md5 expression contains $secure_link_expires, the secure_link directive should read secure_link $arg_md5,$arg_expires; like in this example server block:

server {
    listen 80;
        server_name secure-link-demo;

        location /files {
            root /var/www;
            secure_link $arg_md5,$arg_expires;
            secure_link_md5 "$secure_link_expires$uri$remote_addr secret";

            if ($secure_link = "") { return 403; }
            if ($secure_link = "0") { return 410; }
        }
}

If your secure_link_md5 expression does not contain $secure_link_expires, the secure_link directive should read secure_link $arg_md5; like in this example server block:

server {
    listen 80;
        server_name secure-link-demo;

        location /files {
            root /var/www;
            secure_link $arg_md5;
            secure_link_md5 "$uri$remote_addr secret";

            if ($secure_link = "") { return 403; }
        }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment