Re: Re: how to secure downloading mp3 or flv files in nginx

[XUFENG]

To Thanos Chatziathanassiou,
Yes,if our url does not expire,then you can put my video on your website (actually you link to my video),and that is what we donot want to see,module_access_key cannot relove this.
------------------				 
XUFENG
2009-06-15

-------------------------------------------------------------
发件人：Thanos Chatziathanassiou
发送日期：2009-06-15 17:33:28
收件人：nginx
抄送：
主题：Re: how to secure downloading mp3 or flv files in nginx

On Mon, 15 Jun 2009 13:11:09 +0400, Igor Sysoev wrote:

> On Mon, Jun 15, 2009 at 05:05:31PM +0800, Delta Yeh wrote:
> 
>> Please refer to secure_link module
> 
> No, ngx_http_secure_link has no timestamp information, it's just for URL
> validating.
> 

I've found nginx-accesskey module 
(http://wiki.nginx.org/Nginx3rdPartyModules#Access_Key_Module) 
quite useful for this.

something like:

        location ~ \.flv$ {
            accesskey   on;
            accesskey_hashmethod        md5;
            accesskey_arg       "key";

            accesskey_signature "secret_$remote_addr";
        }

in the config and  then the link would be 

http://host/download.php?key=<md5 hash of secret_REMOTE_ADDR>

mind you, the link will be available indefinitely (ie will not expire) 
and won't work if the users REMOTE_ADDR changes between requests (eg is 
behind a round-robin cluster of proxies).
But perhaps another variable can control both these factors..