How to build the file anti-theft chain service for Nginx learning

Objective

We all know that there are many sites download materials are to charge, whether it is points or gold, want to free can only say very little, then how do these sites do resources anti-theft chain?

Here recommend a relatively easy to get started artifact, Nginx itself provides secure_link to complete the anti-theft chain function, you can add time stamp and check code to the server file link, thus protecting the server file is not stolen by any download.

Timing Diagram

Nginx Configuration

How to install nginx here no longer repeat, install the time remember to open ngx_http_secure_link_module can.

./configure --with-http_secure_link_module #编译nginx时加入

Installation Complete detection:

nginx  -V

If the following instructions appear, the configuration succeeds:

configure arguments: --with-http_secure_link_module --prefix=/usr/local/nginx --with-http_stub_status_module

Instance Configuration

server {     listen       80;     server_name  download.52itstyle.com;     charset utf-8;     location / {         #这里配置了2个参数一个是md5，一个是expires         secure_link $arg_md5,$arg_expires;         #md5的哈希格式为 secret+url+expires,expires为时间戳单位s，url为请求地址         secure_link_md5 52itstyle$uri$arg_e;         #这里我们的md5是我们按照secure_link_md5的方式计算的哈希，secure_link会比对它计算的哈希值是否与我们的md5参数一致         if ($secure_link = "") {             #资源不存在或哈希比对失败             return 402;         }         if ($secure_link = "0") {             #失效超时             return 405;         }         #重命名文件名         add_header Content-Disposition "attachment;filename=$arg_f";         alias  /data/site/down.52itstyle.com/;     }     error_page   500 502 503 504  /50x.html;     error_page   402 405 /40x.html;     location = /50x.html {         root   html;     }     location = /40x.html {         root   html;     }}

Detailed Parameters Secure_link

Syntax: Secure_link expression;
Default value: None
Configuration segment: HTTP, server, location

Expression consists of a checksum and an expiration time, where the checksum value is compared to the MD5 hash of the specified parameter in SECURE_LINK_MD5.

If two values are inconsistent, the value of the _link variable is null, if the two values are consistent, an expiration check is made, and if it expires, the value of the $secure_link variable is 0, or 1 if it is not expired.

If the link is time-sensitive, the expiration time is set with a timestamp, declared after the MD5 hash, separated by commas. If the expiration time is not set, the link is permanently valid.

Secure_link_md5

Syntax: SECURE_LINK_MD5 expression;
Default value: None
Configuration segment: HTTP, server, location

expression specifies the parameter that computes the MD5 hash value, which is compared to the MD5 value passed in the URL. Expression typically contains a URI (for example, Demo.com/s/link URI,/s/link) and an encryption key secret, and if the link has an aging, expression needs to contain $secure_link_expires, Expression can also include client information, such as IP access, browser version information, and so on.

Java Back-end configuration

case, for reference only:

import org.apache.commons.codec.binary.Base64;import org.apache.commons.codec.digest.DigestUtils;/** * 生成加密連接 */public class SecureLink {    private static String site = "https://down.52itstyle.com/";    private static String secret = "52itstyle";    public static String createLink(String path,String fileName){        String time = String.valueOf((System.currentTimeMillis() / 1000) + 300); // 5分钟有效        String md5 = Base64.encodeBase64URLSafeString(DigestUtils.md5(secret + path + time));        String url =  site + path + "?md5=" + md5 + "&expires=" + time + "&f="+fileName;        return url;    }    public static void main(String[] args) {        //https://down.52itstyle.com/2018101025689452.pdf?md5=FnDYyFzCooI9q8sh1Ffkxg&expires=1539847995&f=分布式秒杀架构.pdf        System.out.println(createLink("2018101025689452.pdf","分布式秒杀架构.pdf"));    }}

Summarize

The entire encryption process is a bit symmetric encryption meaning, the backend based on the key generated encrypted address, Nginx Proxy server for decryption check, if passed then allow download.

The test also found a problem, the generated link is sometimes reported time-out failure, may be due to the back-end server and download server time is not unified caused by the synchronization of the system time can be,

If there is a small partner to do points download service This is indeed a good choice, it is important to note that the key must be replaced periodically to prevent leakage.

Reference

Http://nginx.org/en/docs/http/ngx_http_secure_link_module.html

How to build the file anti-theft chain service for Nginx learning