mod_secdownload (lua)

mod_secdownload.lua protects files with a time limited code


By default distributions (and make install) should provide the necessary files; but you can always find them in the contrib folder:

  • secdownload.lua
  • secdownload__secdownload.lua

That way you can modify them for your own needs if you have to (although it is recommended to change the names of the files and the actions, so you don’t get conflicts).

secdownload (action)

protect files with a time limited code

secdownload options;
A key-value table with the following entries:
URL path prefix to protect; default "/"
where the secret files are stored on disk
shared secret used to create and verify urls.
how long a generated url is valid in seconds (maximum allowed time difference); default is 60

The prefix is not used to build the filename; include it manually in the document-root (works like alias "/prefix" => "/docroot", see alias).
secdownload doesn’t actually handle the (valid) request, it just provides the mapping to a filename (and rejects invalid requests).


setup {
	module_load "mod_lua";
	lua.plugin "secdownload.lua";
secdownload [ "prefix" => "/sec/", "document-root" => "/secret/path", "secret" => "abc", "timeout" => 600 ];

Generating URLs

To generate URLs that are valid for secdownload you need the same secret.
The url takes the form prefix + md5hex(secret + filepath + timestamp) + '/' + timestamp + filepath; timestamp is the Unix time formatted as hexadecimal number.

For example with PHP:

$secret = "abc";
$uri_prefix = "/sec/";

# filename; please note file name starts with "/"
$f = "/secret-file.txt";

# current timestamp
$t = time();

$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);

# generate link
printf('<a href="%s%s/%s%s">%s</a>', $uri_prefix, $m, $t_hex, $f, $f);

The config example above would map this url to the file /secret/path/secret-file.txt.

For more examples see mod_secdownload (lighttpd 1.4.x).