I have a block using the secure_link module in an nginx conf file contained in this pastebin: https://pastebin.com/dyZmNsRe
location ^~ /file/ {
root /var/www/html;
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$remote_addr$uri 6v#Q6zu3BEk4Y27Rkig7dKjW@Vd6YHV";
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }
add_header Content-Disposition "attachment; filename=$arg_name";
}
And this python script to generate the urls in this pastebin: https://pastebin.com/DdNkhmBs
import base64, sys, hashlib
import time
# Set the expiration time (in seconds)
expires = int(time.time()) 30
# Set the IP address of the client
ip_address = "192.168.60.10"
# Set the file name
file_name = "/file/test.mp3"
text = str(expires) ip_address file_name " 6v#Q6zu3BEk4Y27Rkig7dKjW@Vd6YHV"
try:
text = bytes(text, 'utf-8')
except:
pass
auth = hashlib.md5(text).digest()
query = base64.b64encode(auth)
q = str(query).replace(" ", "-").replace("/", "_").replace("=", "")
q = q.replace("b'", "").replace("'", "")
print(f"http://192.168.250.83{file_name}?md5={q}&expires={expires}")
The python script works and I can generate urls that when entered into a browser, allow me to download the test.mp3 file. However, I'm under the impression that the link should expire after the expires epoch passes (in this case, 30 seconds after the url is generated). This is not what I'm seeing. I have generated urls that still working over an hour after they should have expired.
Can someone tell me what I'm missing?
Thanks!
I have done some research and have tried adding expires $arg_expires; to the nginx.conf block, with no luck. I can also change the expires query parameter or md5 and get a 403 as I expected, but urls still manage to work long after they should.
CodePudding user response:
So, this issue was due to browser caching and not anything to do with nginx or Python. I tried a "working" expired link in another browser and it failed as it should. So, the real fix for this was to add the following to the nginx block:
add_header Last-Modified $arg_expires;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires $arg_expires;
etag off;