Shulou(Shulou.com)06/03 Report--

Preface

We all know that many sites now download materials are to charge, whether points or gold coins, want to be free can only say very little, so how do these websites achieve resource hotlink protection?

A relatively easy-to-use artifact is recommended here. Nginx itself provides secure_link to complete hotlink protection, which can add timestamps and check codes to server file links to protect server files from being downloaded and embezzled.

Time sequence diagram

Nginx configuration

How to install Nginx will not be discussed here, just remember to turn on ngx_http_secure_link_module during installation.

. / configure-- with-http_secure_link_module # added when compiling nginx

Installation completion Test:

Nginx-V

If the following indicates that the configuration is successful:

Configure arguments:-- with-http_secure_link_module-- prefix=/usr/local/nginx-- with-http_stub_status_module instance configuration server {listen 80; server_name download.52itstyle.com; charset utf-8; location / {# two parameters are configured, one is md5 and the other is expires secure_link $arg_md5,$arg_expires The hash form of # md5 is secret+url+expires,expires, which is the timestamp unit, and the secure_link_md5 52itstyle$uri$arg_e url is the request address. # here our md5 is the hash we calculated according to secure_link_md5. Secure_link will compare whether the hash calculated by it is consistent with our md5 parameter if ($secure_link = "") {# resource does not exist or hash pair fails return 402 } if ($secure_link = "0") {# failure timeout return 405;} # rename file name add_header Content-Disposition "attachment;filename=$arg_f"; alias / data/site/down.52itstyle.com/;} error_page 500 502 503 504 / 50x.hml; error_page 402 405 / 40x.html Location = / 50x.html {root html;} location = / 40x.html {root html;}} Parameter detailed explanation of secure_link

Syntax: secure_link expression

Default value: none

Configuration segment: http, server, location

Expression consists of a check value and an expiration time, where the check value is compared with the MD5 hash value of the specified parameter in secure_link_md5.

If the two values are inconsistent, the value of the $secure_link variable is empty; if the two values are the same, the expiration check is performed; if it expires, the value of the $secure_link variable is 0; if it does not expire, it is 1.

If the link is timed, the expiration time is set with a timestamp, declared after the MD5 hash value, separated by a comma. If the expiration time is not set, the link is permanent.

Secure_link_md5

Syntax: secure_link_md5 expression

Default value: none

Configuration segment: http, server, location

Expression specifies the parameter that calculates the md5 hash value, which will be checked against the MD5 value passed in url. Expression generally contains uri (for example, demo.com/s/link uri is / s/link) and encryption key secret. If the link is aged, expression needs to contain $secure_link_expires,expression and can also add client information, such as accessing IP, browser version information, etc.

Java backend configuration

Case, for reference only:

Import org.apache.commons.codec.binary.Base64;import org.apache.commons.codec.digest.DigestUtils;/** * generate encrypted connection * / public class SecureLink {private static String site = "https://down.52itstyle.com/"; private static String secret =" 52itstyle "; public static String createLink (String path,String fileName) {String time = String.valueOf ((System.currentTimeMillis () / 1000) + 300) / / 5-minute valid String md5= Base64.encodeBase64URLSafeString (DigestUtils.md5 (secret + path + time)); String url = site + path + "? md5=" + md5 + "& expires=" + time + "& f =" + fileName; return url } public static void main (String [] args) {/ / https://down.52itstyle.com/2018101025689452.pdf?md5=FnDYyFzCooI9q8sh2Ffkxg&expires=1539847995&f= distributed second kill architecture .pdf System.out.println (createLink ("2018101025689452.pdf", "distributed second kill architecture .pdf"));}} summary

The whole encryption process is a bit of symmetrical encryption. The back-end generates an encrypted address according to the key, and the Nginx proxy server verifies the decryption. If it passes, it is allowed to download.

A problem was also found in the test. The generated link sometimes reported a timeout failure, which may be caused by the inconsistent time between the back-end server and the download server. You can synchronize the system time.

If there is a partner to do the points download service, this is indeed a good choice, it should be noted that the key must be changed irregularly to prevent disclosure.

Referenc

Http://nginx.org/en/docs/http/ngx_http_secure_link_module.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.