Project

General

Profile

Feature #1860

mod_secure_download IP Address-based Authentication

Added by phsource over 10 years ago. Updated about 3 years ago.

Status:
Missing Feedback
Priority:
Normal
Assignee:
-
Category:
mod_secdownload
Target version:
Start date:
2008-12-26
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

I've been using lighttpd and the excellent mod.secdownload to protect my video site's videos from being hotlinked to by other websites, and it has worked well for the most part. However, some users have reported that hotlinking was still going on, as a script on the hotlinking website simply crawled my site every X minutes and updated its link.

To provide further protection, I thought that secdownload could be made more secure by adding the requesting IP address to the MD5 hash used. This way, only the host for which a link is generated can actually use the link. For example, the string that is hashed currently is:
<secret><rel-path><timestamp-hex>, or

MySecret/File.txt4955586b

With the IP-address based filtering enabled, it would be:
<secret><rel-path><timestamp-hex><ip-addr>, or

MySecret/File.txt4955586b192.168.0.1
or
MySecret/File.txt4955586bfe80::250:8dff:fe64:99a8

I authored a patch (attached) for this purpose, and thought it might be a helpful addition for future versions. The function can be enabled by setting:

secdownload.use-ip-addr = 1

in the configuration file. An example implementation, using PHP, is available at [[ http://66.90.73.42:8080 | http://66.90.73.42:8080 ]].

secdownload.diff (3.39 KB) secdownload.diff The patch necessary for this feature phsource, 2008-12-27 02:35
secdownload.diff (6.74 KB) secdownload.diff phsource, 2008-12-28 19:07
secdownload2717.diff (5.36 KB) secdownload2717.diff phsource, 2010-03-01 02:14
secdownload.diff (4.55 KB) secdownload.diff eryretqwewrqr, 2013-02-27 18:34

Related issues

Related to Feature #1934: mod_sec_download over IPDuplicate2009-03-15

Actions

History

#1

Updated by phsource over 10 years ago

After further testing, I've noticed two things:
  1. This kind of IP-based filtering utterly fails when the end-user is behind a proxy, severely limiting its usefulness
  2. If it were to be used, the time-based authentication would be redundant, as the goal (preventing other people from using the same link) would already be fulfilled.

So, if you still choose to add this feature, an extra option, secdownload.use-time (which defaults to 1 or true) has been added so that if IP filtering is enabled

#2

Updated by stbuehler over 10 years ago

  • Status changed from New to Patch Pending
  • Target version changed from 6 to 1.5.0
  • Patch available changed from Yes to No
#3

Updated by phsource over 9 years ago

New patch:
  • Compatible up to r2717
  • Uses standard boolean configuration options ("enable" and "disable" for use-time, use-ip-addr)
#4

Updated by Olaf-van-der-Spek over 9 years ago

phsource wrote:

  1. This kind of IP-based filtering utterly fails when the end-user is behind a proxy, severely limiting its usefulness

Given this problem I think it should not be included.

#5

Updated by eryretqwewrqr over 6 years ago

patch updated for 1.4.30

somebody offered this as a job on freelancer.com and there was a bid for $200
I decided to do it for less than that...
After reading the terms on the site, I decided that rather than underbid, I would just do it for free.
freelancer.com wanted to take a 10% cut and charges to be able to even bid on project... FUCK that

update for free software shall be free as well

I don't even use this but I did it because I can (and using a BugMeNot login to donate it without the hassle of registering yet another bug tracker account)

#6

Updated by gstrauss about 3 years ago

  • Status changed from Patch Pending to Missing Feedback

Thank you, anonymous (eryretqwewrqr) for the (at that time) updated patch. FYI: the reason for requiring registration is to cut down on search engine optimization spam posts, and we're sorry for the inconvenience.

About the patch: as noted, including IP address will break requests coming through proxies.

Separately, removing time from the link is not recommended since lots of people could proxy through the same IP, not just the original requestor.

Given these limitations, the patch has limited utility on the general internet. However, if there is still interest in this patch, please post an update here. I am willing to be convinced about optionally adding IP to the hash as long as it is not enabled by default.

Also available in: Atom