Hi, mod secdownload

Igor Sysoev is at rambler-co.ru
Fri Jun 15 22:52:16 MSD 2007

On Fri, Jun 15, 2007 at 11:18:44AM -0700, Bedros Hanounik wrote:

> I requested this feature before, and the guy at nginx wiki was kind enough
> to put it on the feature request list.
> http://wiki.codemongers.com/NginxFeatureRequests
> however, I still think it's worth it to add a feature like secdownload to
> nginx; because X-Accel-Redirect does not allow me to create temp link to a
> static file, which expires after a certain time.
> X-Accel-redirect gives me some control to check user authenticity before
> serving the static file (redirecting); my problem with that is I want to
> decouple the web server (checking authenticity) from serving static files.
> with lighttpd secdownload feature, the static file server and web server are
> on different machines; I check  the authenticity of the requester once,
> create the temp link which expires later, then I don't have to worry about
> checking the requester authenticity everytime the file is requested.
> I'm planning on building a website (using django) with a sophisticated
> access control, and I'm leaning toward lighttpd just because of the
> flexibility secdownload feature gives me. However, I really like the
> configuration of nginx; it's easy to read and powerful, even though I'm
> expert in either lighttpd nor in nginx.

Well, mod_secdownload can be easy implemented in nginx using
the access phase module: it should test URI and if it is OK should change it
and pass processing further.

I see one drawback in lighttpd mod_secdownload: it has timeout value on
lighttpd side. I think the auth server should set timestamp when URL
will expire.

Igor Sysoev

More information about the nginx mailing list