Use X-Accel-Redirectresponseheader in nginx to control file downloads

In web applications, files are often downloaded. If these files are private and downloaded directly on the web server, you cannot check the file download permission. In the past, when permissions were required, the permissions were determined using the language of the program to read files and output the files. This solved the permission issue. However, the program language is used to read the text.

In web applications, files are often downloaded. If these files are private and downloaded directly on the web server, you cannot check the file download permission. In the past, when permissions were required, the permissions were determined using the language of the program to read files and output the files. This solved the permission issue. However, using the program language to read files brings about efficiency issues. If the file size is large or the download concurrency is large, the server will soon be overwhelmed.

Based on this situation, the web server software provides the corresponding solution: Use a response header to control the download. Currently squId, Apache, ligHttpdHttp servers such as nginx support this method, but their response header names are different:

Nginx: X-Accel-REdIrect
Squid: X-Accelerator-Vary
Apache: X-SenDfIle
Lighttpd: X-SendFile/X-LIGHTTPD-send-file

The principle of using response header to control downloads is similar:

When the client initiates a request to download a file, because there is no X-Accel-Redirect header, the web server does not immediately output the file to the client; instead, the request is sent to the backend program language. The program language verifies that the client can download the file, write the corresponding X-Accel-Redirect header, and end the processing; the X-Accel-Redirect header is returned by the front-end web server. The web server checks this header before outputting the file to the client.

What if the client spoofs an X-Accel-Redirect header to read the data? Of course, it cannot be downloaded because the web server only recognizes the X-Accel-Redirect header sent from the backend.

So we will use nginx to implement the above process:

1. Change the directory permission. When the client initiates a request, all requests for this directory are sent to the backend.

LoCatIon/mp3 /{
Alias/Data/html/mp3 /;
Internal;
Error_page 403 = 200 @ backend;
}

Location @ backend {
Proxy_pass http: // www.SuDone.com;
}

In this way.

2. configure a re on the backend serverWrite

Rewrite ^/mp3/(. * Latest versions $/read_file.Php? Id = $1 last;

The purpose of this rewrite is to forward the request http://www.sudone.com/mp3/1.mp3to a PHP language, which is processed by the language.

3. Write a php program to determine Permissions

For example, you can download an object from to within the specified time:
$ Hour = getDate() [Hours];
If ($ hour >=19 & $ hour <= 23)
{
Header (Content-Type: application/octet-sTrEam );
Header (X-Accel-Redirect:/mp3/.mongoid.htm );
}
?>

The X-Accel-Redirect header is output every night from to. The content is the file address. After the X-Accel-Redirect header is output, the file can be downloaded. Otherwise, the client cannot get anything. So we can only download files from PM to PM. other time periods won't work.

In this way, the configuration is complete.