1

I'm configuring nginx to work with secure_download and has made it to work without any problems.

However I want to modify it and make the download link for a specific IP only.

I can achieve this using the $remote_addr variable. However there are certain ISPs that I know of that changes IP too often (once every 2 or 3 seconds).

My ISP does this too, eg:
I got 112.112.11.11 as my IP right now, after I refresh it'll be 112.112.11.17. This behavior is set by the ISP, not by my modem or router and I know a few more ISPs which does the same.

Now, with the IP changing too fast, secure download will not work because upon loading the page, the IP might've changed already, rendering the download link invalid for the new IP.

What I'm thinking of is telling nginx to just look at the first 3 blocks on the ip address, in this case 112.112.11.x would be able to download the same file with the same secure download link. Would this be possible using nginx conf?

Any other alternatives is welcome.

gideon
  • 1,145
  • 2
  • 13
  • 28
AnsellC
  • 159
  • 5

2 Answers2

2

You can add a new variable using the map directive that will only include the first three octets of $remote_addr:

map $remote_addr $remote_net {
   default $remote_addr;
    ~^(?<octets>\d+\.\d+\.\d+) $octets;
}

Then just use $remote_net instead of $remote_addr. The default will leave the variable alone for ipv6 clients, and just have the first three octets for ipv4 clients.

kolbyjack
  • 8,039
  • 2
  • 36
  • 29
0

You can stop access at the OS level. Use iptables to allow inbound traffic on ports 80 and 443 from that range of hosts, then reject all other traffic on ports 80 and 443.

Joel E Salas
  • 5,572
  • 16
  • 25
  • Hi. Im not being hacked, I dunno how blocking ports is related to my question. This system is dynamically generating download links for files and I want to allow IP range instead of the exact IP for that particular file link. http://wiki.nginx.org/HttpSecureDownload – AnsellC Mar 17 '12 at 08:16