This article is the 13th entry in the Sakura Internet Advent Calendar 2020.
Content Protection Using One-Time URL
When distributing content to a specific group, it often involves downloading content after password authentication.
However, when using it with a CDN, BASIC authentication might not be available, and changing the URL can result in the cache being treated as a different entity, making CDN utilization difficult.
Web Accelerator has a One-Time URL feature, which I’ll introduce for content protection.
What is a One-Time URL?
A One-Time URL is a feature that issues a URL with a set expiration time.
- It creates a URL that can be accessed until a certain time.
- After the expiration time, it returns a 403 Forbidden error.
How to Use It?
The manual explains it in detail, but I’ll explain it while setting it up.
Step 1: Adding a Secret to the Response of Private Content
Set up the server to return a secret (private key) in the response of content that should only be accessed via a valid One-Time URL.
For simplicity, I’m using Sakura’s rental server, but you can do the same with Apache.
Here’s the directory structure:
www
├── index.html
└── secret
├── .htaccess ← Configuration here
├── himitsu.jpeg
└── himitsu.mp4
The content in the “secret” directory is private, so add a header to return the secret in the .htaccess file in the “secret” directory.
If you want the content in the “secret” directory to be cached for an hour (3600 seconds), set it with Cache-Control.
Header set X-WebAccel-Secret "Himi2NoSecret!"
Header set Cache-Control "s-maxage=3600"
Set the secret key to a string that others cannot guess.
The index.html file under “www” will not have the X-WebAccel-Secret header and can be accessed normally.
You might think that the secret key can be exposed if someone accesses it directly on the rental server. Correct, but I’ll explain how to address that later.
Step 2: Configure Web Accelerator
Create and register a site in Web Accelerator.
Since this is a test for the One-Time URL, I’ll register with a subdomain.
Enable the registered site and confirm it’s in the following state.
Step 3: Access via Web Accelerator
Access the public domain name to test it. https://xxxxxxx.user.webaccel.jp/
You should see the content in www/index.html. This doesn’t have the X-WebAccel-Secret header, so it displays normally.
Step 4: Access /secret/himitsu.jpeg
Try accessing http://xxxxxxx.user.webaccel.jp/secret/himitsu.jpeg
You’ll get a 403 Forbidden error.
Now, generate a URL using the secret set in X-WebAccel-Secret. Here’s a PHP script to generate the URL.
<?php
$base_url="http://xxxxxxx.user.webaccel.jp";
$file_path="/secret/himitsu.jpeg";
$secret = "Himi2NoSecret!";
$limit_time = sprintf("%08x", time()+600); // Valid for 10 minutes (600 seconds)
echo generateURL($base_url, $file_path, $secret, $limit_time) . "\n";
function generateURL($base_url, $file_path, $secret, $limit_time) {
$md5 = md5("/" . $file_path . "/" . $secret . "/" . $limit_time ."/" );
$url = $base_url . $file_path . "?webaccel_secure_time=" . $limit_time . "&webaccel_secure_hash=" . $md5;
return $url;
}
Using this URL, you can access the content.
http://xxxxxxx.user.webaccel.jp/secret/himitsu.jpeg?webaccel_secure_time=5fbdf873&webaccel_secure_hash=a82e1a55b2ec4da163a542e2354269f7
The content is displayed successfully.
After waiting for 10 minutes (the expiration time set), it results in…
A 403 Forbidden error, as expected.
Using a One-Time URL allows you to cache the same content in Web Accelerator while distributing it to specific users.
However, Direct Access to the Rental Server…
Direct access is possible. You need to deny access except from Web Accelerator. While you could permit only the Web Accelerator IP addresses, using the Origin Guard feature is more effective.
Step 5: Configure Origin Guard
Use the Origin Guard token from the Web Accelerator site settings.
Click “Issue Token” to generate a random token.
Requests to the origin will include this token. Allow access only when this token is present.
Modify the .htaccess file as follows:
RewriteEngine On
RewriteCond %{HTTP:X-WebAccel-Guard} !^T0VAn64Kt8QD8crDEFPGqg$
RewriteRule ^(.*)$ - [F,L]
Header set X-WebAccel-Secret "Himi2NoSecret!"
Header set Cache-Control "s-maxage=3600"
Direct access is now blocked.
Conclusion
By combining the One-Time URL and Origin Guard features of Web Accelerator, you can create URLs that are temporarily accessible.
Utilize this for distributing paid content to specific groups.
Lastly
Web Accelerator is expected to release a feature for automatic SSL issuance and renewal using Let’s Encrypt around the end of January. Stay tuned!