Nginx learn how to build file anti-theft service

preface

We all know that a lot of sites now download information is to charge, whether it is integral or gold coins, want to free can only say very few very few, so how to do these sites resource anti-theft chain?

Nginx itself provides secure_link to complete the anti-theft function, you can add time stamps and verification codes to the server file links, so as to protect the server file from arbitrary download theft.

Sequence diagram

Nginx configuration

How to install Nginx will not be described here, remember to enable ngx_HTTP_secure_link_module to install.

./configure --with-http_secure_link_module # add when compiling nginx
Copy the code

Inspection after installation:

nginx  -V
Copy the code

If the following information is displayed, the configuration succeeds:

configure arguments: --with-http_secure_link_module --prefix=/usr/local/nginx --with-http_stub_status_module
Copy the code

The instance configuration

server {
     listen       80;
     server_name  download.52itstyle.com;
     charset utf-8;
     location / {
	     # Set two parameters: MD5 and Expires
         secure_link $arg_md5.$arg_expires;
		 The hash format of #md5 is secret+ URL +expires, where expires is the timestamp unit s and url is the request address
         secure_link_md5 52itstyle$uri$arg_e;
		 Secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5
         if ($secure_link = "") {
		     Resource does not exist or hash comparison failed
             return 402;
         }
         if ($secure_link = "0") {
		     # invalid timeout
             return 405;
         }
		 Rename the file name
         add_header Content-Disposition "attachment; filename=$arg_f";
         alias/data/site/down.52itstyle.com/; } error_page 500 502 503 504 /50x.html; error_page 402 405 /40x.html; location = /50x.html { root html; } location = /40x.html { root html; }}Copy the code

Parameters,

secure_link

Syntax: secure_link expression; Default value: none Configuration segment: HTTP, server, location

Expression consists of the checksum and expiration time. The checksum is compared with the MD5 hash of the specified parameter in secure_link_MD5.

If the two values are inconsistent,The value of the secure_link variable is 0; If not, it is 1.

If the link is time-limited, the expiration time is set with the timestamp, declared after the MD5 hash value, separated by commas. If no expiration time is set, the link is permanently valid.

secure_link_md5

Syntax: secure_link_MD5 expression; Default value: none Configuration segment: HTTP, server, location

Expression Specifies the parameter used to calculate the MD5 hash value. The MD5 value will be compared with the MD5 value passed in the URL. Expression usually contains the URI (for example, demo.com/s/link uri is /s/link) and the encryption key secret. If the link is time-valid, expression must contain $secure_link_expires. Expression Can also add client information, such as the access IP address and browser version.

Java backend configuration

Case, for reference only:

import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
/** * Generate an encrypted connection */
public class SecureLink {
	private static String site = "https://down.52itstyle.com/";
	private static String secret = "52itstyle";
	public static String createLink(String path,String fileName){
		String time = String.valueOf((System.currentTimeMillis() / 1000) + 300); // Valid for 5 minutes
		String md5 = Base64.encodeBase64URLSafeString(DigestUtils.md5(secret + path + time));
		String url =  site + path + "? md5=" + md5 + "&expires=" + time + "&f="+fileName;
		return url;
	}
	public static void main(String[] args) {
		/ / https://down.52itstyle.com/2018101025689452.pdf?md5=FnDYyFzCooI9q8sh1Ffkxg&expires=1539847995&f= distributed architecture kill. PDF
		System.out.println(createLink("2018101025689452.pdf"."Distributed kill architecture. PDF")); }}Copy the code

conclusion

The whole encryption process is a bit symmetric encryption. The back end generates the encryption address according to the key, and the Nginx proxy server verifies the decryption. If it passes, the download is allowed.

Another problem was found in the test. The generated link sometimes reported timeout failure, which may be caused by the time inconsistency between the backend server and the download server. It is only necessary to synchronize the system time.

This is indeed a good choice if you have partners who do integral download services. It should be noted that the key must be changed periodically to prevent disclosure.

reference

Nginx.org/en/docs/htt…