How to set up a secure downloadpath on an external

  • Posts: 261
  • Thank you received: 5
9 years 7 months ago #195432

-- HikaShop version -- : 2.3.5
-- Joomla version -- : 3.3.6
-- Error-message(debug-mod must be tuned on) -- : no error message

Hi

The downloadable files I sell are on a different server than my website is. I allways used to upload my files to the external server and set the downloadpath of the file manually in hikashop. I assumed that my clients did not see where the download comes from and that this method was secure.

Recently I discovered that the method is not secure enough. It is possible to get the downloadpath of the file after downloading a file. So now I need to know how to set up a secure downloadpath on the server where I store my downloadable files.

In Hikashop I already tried to set the path on the external server as secure path. That works....for new products.... when I use the upload file feature at creation of the new product.
It does not work for the thousands of files I already have stored on my external server. How can I get a secure hikashop downloadlink for the existing files without having to upload thousands of files again.
I also does not work when I set the download path manually on new products. I really need that to be able to maintain the files on the external server. I need to keep the folder structure and therefore I need to set downloadpaths manually.

Thanks in advance

Sjaak

Please Log in or Create an account to join the conversation.

  • Posts: 82725
  • Thank you received: 13338
  • MODERATOR
9 years 7 months ago #195439

Hi,

The link that is given to the customers when they purchase the files is a link which goes through HikaShop and then can either:
- redirect to the real URL of the download (which is what happens if you give the URL of the file from an external server).
- read the file on the hard drive of your server and send it to the user.

So in both cases, the link that is given to the customer requires that the customer has bought the product in order to access the file.
However, in the first case, it's possible for the customer to get the link of the external server if he is a bit savvy. And in that case, he can give the link to anyone and it will download directly, without any check as the check is done before.

So if you want something really "secure", the only solution is to have the files on the server of the website.
There is no real technical solution which would allow HikaShop to get the file from the external server and then send it to the customer without bottlenecks. And if you were doing that, it would still mean that HikaShop would download the file from the external server before sending it to the customer. So I don't really see the point of storing the files on an external server if you'll end up with a copy of it on your website.

Please Log in or Create an account to join the conversation.

  • Posts: 261
  • Thank you received: 5
9 years 7 months ago #195507

Hi Nicolas,

Thanks for your reply,
Somehow I kinda expected this answer.

The point is that I have many large files stored. We're talking large amounts of Gigabytes here. And the stock grows. I am happy with my hoster. Good service, direct response when problems arise...etc. So I do not want to leave my hoster. Only....Good hosting is VERY EXPENSIVE. So I solved that by having the website hosted with a good service and hosting my downloadables on a personal server which I host myself. Thus far it was a good and affordable solution ...until I discovered that any savvy Wizzkid indeed is able to get my files without going through my hikashop store.

There's no 'bottleneck solution'? Something like: temporary downloadlink is created and send to client. Hikashop downloads file to server. After reaching maximum downloads or after expiring downloadperiod the temporary file is deleted? Just thinking....?

Thanks

Sjaak

Please Log in or Create an account to join the conversation.

  • Posts: 26150
  • Thank you received: 4026
  • MODERATOR
9 years 7 months ago #195527

Hi,

For files stored in the same server, HikaShop is also compatible with "x-sendfile"
wiki.nginx.org/XSendfile
redmine.lighttpd.net/projects/1/wiki/X-LIGHTTPD-send-file
tn123.org/mod_xsendfile/

Otherwise, for external storage, some web servers (nginx, lighttpd but not really apache2) have a feature called "secure download".
wiki.nginx.org/HttpSecureDownload
redmine.lighttpd.net/projects/1/wiki/Docs_ModSecDownload

As you can see in the pages, it allows to generate special URL which are valid just for a few seconds.
Some hosting services like Amazon are also providing API like that

Few years ago I have created a plugin for HikaShop in order to redirect to a lighttpd secure download.
Thanks to the HikaShop triggers and plugin system, it's possible to catch the download call and redirect the customer to a secured and temporally URL.

Regards,

Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 261
  • Thank you received: 5
9 years 7 months ago #195588

Hi Jerome,

Sounds interesting.
Is your plugin still available and what do I need to do to get things working?

Sjaak

Please Log in or Create an account to join the conversation.

  • Posts: 26150
  • Thank you received: 4026
  • MODERATOR
9 years 7 months ago #195593

Hi,

My plugin is not available because a lot of things are hard coded (url, credentials, etc) and have other fetaures like a watermarking of some files (using an integration with HikaSerial).

But the secure download part is pretty simple, it just use the trigger onBeforeDownloadFile:
www.hikashop.com/support/support/documen...onBeforeDownloadFile 

public function onBeforeDownloadFile(&$filename, &$do, &$file) {
	$secure_dl = 'http://dl.mywebsite.com/{secure}/';
	$lng_secure_dl = strlen($secure_dl);
	if(strtolower(substr($file->file_path, 0, $lng_secure_dl)) == $secure_dl) {
		$do = false;
		$app = JFactory::getApplication();
			
		$file = substr($filename, $lng_secure_dl - 1);
		$secret = 'mysecretpassword';
		$t = time();
		$t_hex = sprintf('%08x', $t);
		$m = md5($secret.$file.$t_hex);
			
		$app->redirect('http://dl.mywebsite.com/' . $m . '/' . $t_hex . $file); 
		return;
	}
}

Regards,

Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 846
  • Thank you received: 92
9 years 4 months ago #204717

Hi

onBeforeDownloadFile(&$filename,&$do,&$file)

This function will be triggered by HikaShop before a file download.

  • $filename is the path to the file, you can change it's value.
  • $do allows you to cancel the download if you set it to false
  • $file is an object containing the information about the file.


To understand all you code i need t understand the context where ( location) and when ( step process) the plugin code is trigger .
1) I mean which code in hikashop make the call to the plugin : I think a click on a specific link in the web browser client side ?

2) If i don't want to use xdebug and want to go to the documentation way : where i can find information about the structure ( array ) of the variable $file ?

3) what mean {secure} ? a dynamic parameter that ll be compute/replace by the plugin code ?

4) All argument use &$ a global context like javascript context ( windows) !!!. does it mean all original value store in variable can be change ( write/read mode ) ?

regard's

Last edit: 9 years 4 months ago by lionel75.

Please Log in or Create an account to join the conversation.

Time to create page: 0.058 seconds
Powered by Kunena Forum