Nginx learning how to build a file hotlink protection service example

Preface

Everyone knows that many sites now charge a fee for downloading information, whether it is points or gold coins. It is very rare to get it for free. So how do these websites prevent resource hotlinking?

Here I recommend a tool that is relatively easy to use. Nginx itself provides secure_link to complete the anti-hotlink function, which can add timestamps and verification codes to server file links, thereby protecting server files from being arbitrarily downloaded and stolen.

Timing diagram

Nginx Configuration

I will not go into details about how to install Nginx here. Just remember to enable ngx_http_secure_link_module during installation.

./configure --with-http_secure_link_module #Add when compiling nginx

Installation completion detection:

nginx -V

If the following appears, the configuration is successful:

configure arguments: --with-http_secure_link_module --prefix=/usr/local/nginx --with-http_stub_status_module

Instance Configuration

server {
   listen 80;
   server_name download.52itstyle.com;
   charset utf-8;
   location / {
     #Two parameters are configured here, one is md5 and the other is expires
     secure_link $arg_md5,$arg_expires;
     #The hash format of md5 is secret+url+expires, where expires is the timestamp unit s and url is the request address secure_link_md5 52itstyle$uri$arg_e;
     #Here our md5 is the hash we calculated using the secure_link_md5 method. secure_link will compare the hash value it calculated to see if it is consistent with our md5 parameter if ($secure_link = "") {
       #If the resource does not exist or the hash comparison fails, return 402;
     }
     if ($secure_link = "0") {
       #Failed timeout return 405;
     }
     #Rename the file name add_header Content-Disposition "attachment;filename=$arg_f";
     alias /data/site/down.52itstyle.com/;
   }
   error_page 500 502 503 504 /50x.html;
   error_page 402 405 /40x.html;
   location = /50x.html {
     root html;
   }
   location = /40x.html {
     root html;
   }
}

Parameters

secure_link

Syntax: secure_link expression;

Default value: None

Configuration section: http, server, location

The expression consists of a checksum and an expiration time. The checksum will be compared with the MD5 hash value of the specified parameter in secure_link_md5.

If the two values ​​are inconsistent, the value of the $secure_link variable is empty; if the two values ​​are consistent, an expiration check is performed; if expired, the value of the $secure_link variable is 0; if not expired, it is 1.

If the link is time-sensitive, the expiration time is set using a timestamp, declared after the MD5 hash value, separated by a comma. If no expiration date is set, the link will be valid forever.

secure_link_md5

Syntax: secure_link_md5 expression;

Default value: None

Configuration section: http, server, location

expression specifies the parameters for calculating the md5 hash value, which will be compared and verified with the md5 value passed in the url. The expression generally contains the uri (such as demo.com/s/link uri is /s/link) and the encryption key secret. If the link has a time limit, the expression must contain $secure_link_expires. The expression can also include client information, such as access IP, browser version information, etc.

Java backend configuration

Case, for reference only:

import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
/**
 * Generate an encrypted connection */
public class SecureLink {
  private static String site = "https://down.52itstyle.com/";
  private static String secret = "52itstyle";
  public static String createLink(String path,String fileName){
    String time = String.valueOf((System.currentTimeMillis() / 1000) + 300); // Valid for 5 minutes String md5 = Base64.encodeBase64URLSafeString(DigestUtils.md5(secret + path + time));
    String url = site + path + "?md5=" + md5 + "&expires=" + time + "&f="+fileName;
    return url;
  }
  public static void main(String[] args) {
    //https://down.52itstyle.com/2018101025689452.pdf?md5=FnDYyFzCooI9q8sh1Ffkxg&expires=1539847995&f=Distributed seckill architecture.pdf
    System.out.println(createLink("2018101025689452.pdf","Distributed seckill architecture.pdf"));
  }
}

Summarize

The whole encryption process is a bit like symmetric encryption. The backend generates an encrypted address based on the key, and the Nginx proxy server performs decryption verification. If it passes, downloading is allowed.

Another problem was found during the test. The generated link sometimes times out. This may be caused by the inconsistent time between the backend server and the download server. You can synchronize the system time.

If you have friends who provide points download services, this is indeed a good choice. What you need to pay attention to is that you must change the key from time to time to prevent leakage.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.