Prevent direct access to files but allow download from site

Reinis Rozitis r at roze.lv
Thu Mar 12 22:30:18 UTC 2020


> The user MUST BE ABLE to download the file from the article pages when
> LOGGED.
> If the user is NOT LOGGED, he cannot download the file, therefore even
> recovering the url, he must receive an error or any other type of block.

It's rather difficult to achieve that only with a webserver (as typically a webserver itself has no idea about users being logged in or out and just to rely on a cookie is possible but rather weak check). 

While you can use the secure link module (https://nginx.org/en/docs/http/ngx_http_secure_link_module.html ) with expiration a more common way would be to implement the download check in the application itself and use the nginx X-Accel-Redirect feature - https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/

Without knowing what kind of app (php/python/js/perl etc) are you running it's hard to give an exact example but the gist of the idea is to:
- place the files outside webroot
- configure the path as an internal nginx location
- the application then checks if the user has an active session, then sends the X-Accel-Redirect header with the particular file to nginx which sends the file to user.

There should be plenty of samples on internet.


rr



More information about the nginx mailing list