Nginx learn how to build a file anti-leech Service

Nginx learn how to build a file anti-leech Service

 

Preface

We all know that many websites now charge fees for downloading materials. Whether it's points or gold coins, we can only say that there are very few resources for free. How do these websites implement resource anti-leech protection?

Here we recommend a relatively easy-to-use artifact. nginx itself provides secure_link to complete the anti-leech function. You can add a timestamp and verification code to the Server File Link, this protects server files from arbitrary download and theft.

Sequence Chart

Nginx Configuration

How to install nginx is not described here. During installation, remember to enable ngx_http_secure_link_module.

./Configure -- with-http_secure_link_module # add when compiling nginx

Installation completion check:

nginx  -V

If the following information is displayed, the configuration is successful:

configure arguments: --with-http_secure_link_module --prefix=/usr/local/nginx --with-http_stub_status_module

Instance Configuration

Server {Listen 80; SERVER_NAME download.52itstyle.com; charset UTF-8; Location/{# two parameters are configured here: MD5 and expires secure_link $ arg_md5, $ arg_expires; # The MD5 hash format is secret + URL + expires. expires is the time stamp unit (s), and the URL is the request address secure_link_md5 52 itstyle $ URI $ arg_e; # Here, MD5 is the hash calculated based on secure_link_md5. secure_link compares the hash value calculated by secure_link with our MD5 parameter if ($ secure_link = "") {# Return 402 if the resource does not exist or the hash comparison fails;} if ($ secure_link = "0") {# Return 405 if the invalidation times out;} # rename the file name add_header content-disposition "attachment; filename = $ arg_f "; alias/data/site/down.52itstyle.com/;} error_page 500 502 503 x.html; error_page 504/50 402 x.html; location =/50x.html {root HTML ;} location =/40x.html {root HTML ;}}

Secure_link

Syntax: secure_link expression;
Default Value: None
Configuration section: HTTP, server, location

Expression is composed of the check value and expiration time. The check value is compared with the MD5 Hash Value of the specified parameter in secure_link_md5.

If the two values are inconsistent, the value of the $ secure_link variable is null. If the two values are consistent, the expiration check is performed. If the two values expire, the value of the $ secure_link variable is 0. If the two values do not expire, it is 1.

If the link is time-sensitive, the expiration time is set with the timestamp. It is declared after the MD5 hash value and separated by commas. If no expiration time is set, the link is permanently valid.

Secure_link_md5

Syntax: secure_link_md5 expression;
Default Value: None
Configuration section: HTTP, server, location

Expression specifies the parameter for calculating the MD5 hash value. The MD5 value is compared and verified with the MD5 value passed in the URL. Expression generally contains uri (for example, demo.com/s/link URI is/S/Link) and encryption key secret. If the link has a validity period, expression must contain $ secure_link_expires. expression can also be added to the client, for example, access IP addresses and browser version information.

Java backend Configuration

Case, for reference only:

Import Org. apache. commons. codec. binary. base64; import Org. apache. commons. codec. digest. digestutils;/*** generate encrypted connector */public class securelink {Private Static string site = "https://down.52itstyle.com/"; Private Static string secret = "52 itstyle "; public static string CreateLink (string path, string filename) {string time = string. valueof (system. currenttimemillis ()/1000) + 300); // Valid String MD5 = BA for 5 minutes Se64.encodebase64urlsafestring (digestutils. MD5 (secret + path + time); string url = site + path + "? MD5 = "+ MD5 +" & expires = "+ time +" & F = "+ filename; return URL;} public static void main (string [] ARGs) {// https://down.52itstyle.com/2018101025689452.pdf? Using system. Out. println (CreateLink ("2018101025689452.133", ".pdf "));}}

Summary

The entire encryption process involves symmetric encryption. the backend generates an encryption address based on the key, and the nginx Proxy Server performs decryption and verification. If the encryption is successful, the download is allowed.

A problem is also found during the test. The generated link sometimes reports a timeout failure, which may be caused by inconsistent time between the backend server and the download server. Just synchronize the system time,

If you have a friend who is working on the point download service, this is indeed a good choice. Note that you must change the key occasionally to prevent leakage.

Reference

Http://nginx.org/en/docs/http/ngx_http_secure_link_module.html

Nginx learn how to build a file anti-leech Service