最後更新: 2021-11-04




It is not included by default when you build NGINX from source;

enable it by including the "--with-http_secure_link_module" argument to the configure command.


Nginx Settings


server {
    listen       80;
    location ~ /\.ht { deny  all;}
    location / {
        root   /home/vhosts/IP/public_html;
        index  index.html index.htm;
    location /files {
        if ($request_uri ~ "/files/([\w\-_]+)/(\d+)/(.*)") {
                set $hash_md5 $1;
                set $expires  $2;
                set $filepath $3;
        # For debug
        #return 200 $expires#$filepath#MySecret;
        secure_link $hash_md5,$expires;
        secure_link_md5 "$expires#$filepath#MySecret";
        if ($secure_link = "") {return 403;}
        if ($secure_link = "0") { return 410;}
        rewrite ^ /secure/$filepath;
    location /secure/ {
        # expires 3h;
        alias /home/vhosts/IP/files/;



Syntax: secure_link $hash_md5,$expires;

Defines a string with variables from which the checksum value and lifetime of a link will be extracted.


Syntax: secure_link_md5 expression;

Defines an expression for which the MD5 hash value will be computed and compared with the value passed in a request.


The status of these checks is made available in the $secure_link variable.

  • NULL: checksums are different
  • 0: expired
  • 1: Ok


The MD5 hash value passed in a request is encoded in base64url

If a link has a limited lifetime, the expiration time is set in seconds since Epoch


where the '+' and '/' characters of standard Base64 are respectively replaced by '-' and '_'

require omitting the padding '=' signs to avoid them being confused with field separators


建立 Link


# 過期時間

expires=$(( $(date +%s) + 60 )); echo $expires

# base64url 's md5

echo -n "$expires#pricelist.html#MySecret" | \
    openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =