front-end web developer here. Sorry in advance.
My company wants to store new builds of our software on our web server, running Nginx, provided by WP Engine.
The file path for these builds would be company.com/downloads/file.zip. We want to restrict access to files in this folder unless they come from a specific referring URL that sits behind a login gate for our customers.
- If user clicks link to any file inside
/downloads/from allowed referrer, user gets file - If user clicks link from any other source, return 404 or redirect to homepage
- If empty referrer or direct access attempt, return 404 or redirect to homepage
I've found a resource on preventing hotlinking for images (we'll be dealing with .zip files), which might work for me, but I need help with the syntax of this language. There's probably a bunch wrong with it.
location ~ /downloads/$ {
valid_referers none blocked ~.allowed_domain.com;
if ($invalid_referer) {
return 404;
}
}
WP Engine doesn't allow me to add Nginx code myself, so I'll have to send them the code I want them to implement. If anyone knows how to do this and can help me out, I'd really appreciate it!
Other possibility is to use X-Accel header. I don't know your use case, so it may not be a good fit.
X-Accel is nginx specific header. You can issue that header in your PHP script - like
header("X-Accel-Redirect: /private-downloads/magic.iso")When nginx recognize this header, it will server content of the filemagic.isolocated in/data/private-downloads.So your task is to prepare
download.phpwhich check authorization and respond either with X-Accel header or redirect to login screen.Definition of
/private-downloads/in nginx.confFor more details, plase check x-accel questions on serverfault. 1
You can use
valid_referersnginx directive. ( nginx doc )I personally never tried this in production, because I prefer to use X-Accel header . You can verify your user in PHP script and then send nginx header X-accel. The header will ask nginx to server the static files by nginx.