preface
We all know that a lot of sites now download information is to charge, whether it is integral or gold coins, want to free can only say very few very few, so how to do these sites resource anti-theft chain?
Nginx itself provides secure_link to complete the anti-theft function, you can add time stamps and verification codes to the server file links, so as to protect the server file from arbitrary download theft.
Sequence diagram
Nginx configuration
How to install Nginx will not be described here, remember to enable ngx_HTTP_secure_link_module to install.
./configure --with-http_secure_link_module # add when compiling nginx
Copy the code
Inspection after installation:
nginx -V
Copy the code
If the following information is displayed, the configuration succeeds:
configure arguments: --with-http_secure_link_module --prefix=/usr/local/nginx --with-http_stub_status_module
Copy the code
The instance configuration
server {
listen 80;
server_name download.52itstyle.com;
charset utf-8;
location / {
# Set two parameters: MD5 and Expires
secure_link $arg_md5.$arg_expires;
The hash format of #md5 is secret+ URL +expires, where expires is the timestamp unit s and url is the request address
secure_link_md5 52itstyle$uri$arg_e;
Secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5: secure_link_md5
if ($secure_link = "") {
Resource does not exist or hash comparison failed
return 402;
}
if ($secure_link = "0") {
# invalid timeout
return 405;
}
Rename the file name
add_header Content-Disposition "attachment; filename=$arg_f";
alias/data/site/down.52itstyle.com/; } error_page 500 502 503 504 /50x.html; error_page 402 405 /40x.html; location = /50x.html { root html; } location = /40x.html { root html; }}Copy the code
Parameters,
secure_link
Syntax: secure_link expression; Default value: none Configuration segment: HTTP, server, location
Expression consists of the checksum and expiration time. The checksum is compared with the MD5 hash of the specified parameter in secure_link_MD5.
If the two values are inconsistent,The value of the secure_link variable is 0; If not, it is 1.
If the link is time-limited, the expiration time is set with the timestamp, declared after the MD5 hash value, separated by commas. If no expiration time is set, the link is permanently valid.
secure_link_md5
Syntax: secure_link_MD5 expression; Default value: none Configuration segment: HTTP, server, location
Expression Specifies the parameter used to calculate the MD5 hash value. The MD5 value will be compared with the MD5 value passed in the URL. Expression usually contains the URI (for example, demo.com/s/link uri is /s/link) and the encryption key secret. If the link is time-valid, expression must contain $secure_link_expires. Expression Can also add client information, such as the access IP address and browser version.
Java backend configuration
Case, for reference only:
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
/** * Generate an encrypted connection */
public class SecureLink {
private static String site = "https://down.52itstyle.com/";
private static String secret = "52itstyle";
public static String createLink(String path,String fileName){
String time = String.valueOf((System.currentTimeMillis() / 1000) + 300); // Valid for 5 minutes
String md5 = Base64.encodeBase64URLSafeString(DigestUtils.md5(secret + path + time));
String url = site + path + "? md5=" + md5 + "&expires=" + time + "&f="+fileName;
return url;
}
public static void main(String[] args) {
/ / https://down.52itstyle.com/2018101025689452.pdf?md5=FnDYyFzCooI9q8sh1Ffkxg&expires=1539847995&f= distributed architecture kill. PDF
System.out.println(createLink("2018101025689452.pdf"."Distributed kill architecture. PDF")); }}Copy the code
conclusion
The whole encryption process is a bit symmetric encryption. The back end generates the encryption address according to the key, and the Nginx proxy server verifies the decryption. If it passes, the download is allowed.
Another problem was found in the test. The generated link sometimes reported timeout failure, which may be caused by the time inconsistency between the backend server and the download server. It is only necessary to synchronize the system time.
This is indeed a good choice if you have partners who do integral download services. It should be noted that the key must be changed periodically to prevent disclosure.
reference
Nginx.org/en/docs/htt…