CODEWITHSUNDEEP
lighttpd
sripberger
sripberger

Reputation: 1732

lighttpd mod_secdownload always 404's

I'm trying to set up expiring urls for my company's dev environment. We use lighttpd to serve uploaded files in this environment, and I found these docs which seem fairly promising.

The problem is I can't seem to get it to work at all, and I'm sort of at my wits end trying to figure out why. It serves paths under the secdownload.uri-prefix normally, as if they were unprotected files under the normal server.document root.

Here is my entire config file:

server.modules = (
    "mod_secdownload"
)

server.document-root        = "/var/www/html"
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 8080

secdownload.secret           = "seecrat"
secdownload.document-root    = "/var/www/download-area/"
secdownload.algorithm        = "md5"
secdownload.uri-prefix       = "/dl/"

debug.log-request-handling  = "enable"

Here is a snippet of JS that's creating the urls from Node.js:

const md5 = require("md5");
const filePath = "/some-image.png";
const timestamp = Date.now().toString(16);
const signature = md5("seecrat" + filePath + timestamp);
console.log(`http://localhost:8080/dl/${signature}/${timestamp}${filePath}`);

Here's an example url generated by this code:

http://localhost:8080/dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png

When I navigate to this URL in by browser, I get a 404 Not Found, and the debug log for this request looks like this:

2020-11-23 14:03:02: (response.c.447) -- splitting Request-URI 
2020-11-23 14:03:02: (response.c.448) Request-URI     :  /dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.449) URI-scheme      :  http 
2020-11-23 14:03:02: (response.c.450) URI-authority   :  localhost:8080 
2020-11-23 14:03:02: (response.c.451) URI-path (raw)  :  /dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.452) URI-path (clean):  /dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.453) URI-query       :   
2020-11-23 14:03:02: (response.c.598) -- before doc_root 
2020-11-23 14:03:02: (response.c.599) Doc-Root     : /var/www/html 
2020-11-23 14:03:02: (response.c.600) Rel-Path     : /dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.601) Path         :  
2020-11-23 14:03:02: (response.c.643) -- after doc_root 
2020-11-23 14:03:02: (response.c.644) Doc-Root     : /var/www/html 
2020-11-23 14:03:02: (response.c.645) Rel-Path     : /dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.646) Path         : /var/www/html/dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.670) -- logical -> physical 
2020-11-23 14:03:02: (response.c.671) Doc-Root     : /var/www/html 
2020-11-23 14:03:02: (response.c.672) Basedir      : /var/www/html 
2020-11-23 14:03:02: (response.c.673) Rel-Path     : /dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.674) Path         : /var/www/html/dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.686) -- handling physical path 
2020-11-23 14:03:02: (response.c.687) Path         : /var/www/html/dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png 
2020-11-23 14:03:02: (response.c.162) -- file not found 
2020-11-23 14:03:02: (response.c.163) Path         : /var/www/html/dl/5fe360f8c62ea912363b653ba9383e01/175f67cd240/some-image.png

Clearly, it is looking under /var/www/html instead of /var/www/download-area as expected.

EDIT:

This question has been edited for clarity. I removed unrelated stuff from my config and added a debug log from the request handler.

Upvotes: 4

Views: 236

Answers (1)

gstrauss
gstrauss

Reputation: 2404

secdownload.uri-prefix = "/dl/"

const filePath = "/some-image.png";

These do not match. I think you mean const filePath = "/dl/some-image.png";

There are many examples available in different programming languages in the mod_secdownload docs to which you linked.

If mod_secdownload intercepts all requests to /dl/*, then the files that would otherwise be accessible under /dl/* are protected. On the other hand, if I can directly request /some-image.png from your server, bypassing /dl/... and mod_secdownload, then /some-image.png is not very well protected.

[Edit] Is some-image.png found under /var/www/html/some-image.png? (With your config secdownload.document-root = "/var/www/html/")

Upvotes: 0

Related Questions