Migrating from Lighttpd : mod_secdownload show-stopper ?

Francis Daly francis at daoine.org
Tue Feb 22 15:20:20 MSK 2011

On Tue, Feb 22, 2011 at 05:03:00AM -0500, thoseg wrote:

Hi there,

> I have some (strong) requirements like to not modify the application
> code or to do as few changes in the platform's
> configuration/architecture as possible. Thus I'm using Igor's example
> that seemed to me the best choice for migration from Lighttpd to Nginx.

> Secured link :
> http://secure.domain.com/get/24b9cb61c9c2c9070038aceaaf7bae5a/4d63842e/2/H264-384x288/04/85/3120485.h264

That link includes a (lighttpd) 32-byte "hex-ascii" md5sum representation.

nginx's http_secure_link_module uses a 22-byte base64 encoded md5sum

You can't convert the one into the other using just nginx configuration.

If you want to use http_secure_link_module, you will have to modify the
application code, or modify the http_secure_link_module code, or, maybe,
try using an embedded interpreter within the nginx config to massage
the url and issue a rewrite or redirect.

That last "maybe" option also counts as coding.

Not thought through properly, of course, but could it work if your
"/get" location calculated the nginx equivalent of the 32-byte string,
and then rewrote or redirected to another location, which was handled
normally by http_secure_link_module?

You'ld also have to worry about the "time" string -- you could recalculate
it in the same way, but since it is involved in the md5sum calculation,
it wouldn't work trivially. So that looks like a "no".

> As far as I understand I got a "403" everytime I'm trying to validate
> the URL. That means $secure_link is empty and I don't know why... Of

It's because the (representation of the) hash is incorrect. 32 vs
22 bytes.

> It will be (really) better if can keep my actual link format with the
> expiration time given in hex not in epoch but If there is no other
> solution, I will change the application's code.

To use the vanilla nginx http_secure_link_module, your old links will
be broken, and you'll have to change the application's code.

Unless there's something major I've missed.

Good luck with it,

Francis Daly        francis at daoine.org

More information about the nginx mailing list