mod_secure_download IP Address-based Authentication
I've been using lighttpd and the excellent mod.secdownload to protect my video site's videos from being hotlinked to by other websites, and it has worked well for the most part. However, some users have reported that hotlinking was still going on, as a script on the hotlinking website simply crawled my site every X minutes and updated its link.
To provide further protection, I thought that secdownload could be made more secure by adding the requesting IP address to the MD5 hash used. This way, only the host for which a link is generated can actually use the link. For example, the string that is hashed currently is:
With the IP-address based filtering enabled, it would be:
I authored a patch (attached) for this purpose, and thought it might be a helpful addition for future versions. The function can be enabled by setting:
secdownload.use-ip-addr = 1
in the configuration file. An example implementation, using PHP, is available at [[ http://18.104.22.168:8080 | http://22.214.171.124:8080 ]].
Updated by phsource over 10 years ago
- This kind of IP-based filtering utterly fails when the end-user is behind a proxy, severely limiting its usefulness
- If it were to be used, the time-based authentication would be redundant, as the goal (preventing other people from using the same link) would already be fulfilled.
So, if you still choose to add this feature, an extra option, secdownload.use-time (which defaults to 1 or true) has been added so that if IP filtering is enabled
Updated by eryretqwewrqr over 6 years ago
patch updated for 1.4.30
somebody offered this as a job on freelancer.com and there was a bid for $200
I decided to do it for less than that...
After reading the terms on the site, I decided that rather than underbid, I would just do it for free.
freelancer.com wanted to take a 10% cut and charges to be able to even bid on project... FUCK that
update for free software shall be free as well
I don't even use this but I did it because I can (and using a BugMeNot login to donate it without the hassle of registering yet another bug tracker account)
Updated by gstrauss about 3 years ago
- Status changed from Patch Pending to Missing Feedback
Thank you, anonymous (eryretqwewrqr) for the (at that time) updated patch. FYI: the reason for requiring registration is to cut down on search engine optimization spam posts, and we're sorry for the inconvenience.
About the patch: as noted, including IP address will break requests coming through proxies.
Separately, removing time from the link is not recommended since lots of people could proxy through the same IP, not just the original requestor.
Given these limitations, the patch has limited utility on the general internet. However, if there is still interest in this patch, please post an update here. I am willing to be convinced about optionally adding IP to the hash as long as it is not enabled by default.
Also available in: Atom