X-Accel-Redirect resume broken download

user2956979 asked:

I am using Nginx X-Accel-Redirect to serve a large protected file (several GBs) to users. The server application processes the URL and verifies the download token (embedded in URL) and starts or rejects the download. The problem is that the download cannot be resumed if the download fails for any reason. The file is really big, so the chance of this happening cannot be ignored.

For a bit more info, the server is on AWS EC2 and the file is in an S3 bucket. This means that we are paying for the failed download too.

What I want to know is if it is possible to protect a file using download tokens or other means, so that users can’t just share the download links with others, but still be resumable in case of network disconnects.

The python server is forwarding the following headers to Nginx.

Content-Disposition='attachment; filename=xxx'

Nginx configuration is as follows.

location ~ ^/protected/(.*) {
    resolver_timeout 60;
    proxy_hide_header Content-Type; # To hide header from S3
    proxy_hide_header x-amz-id-2;
    proxy_hide_header x-amz-request-id;
    proxy_set_header Content-Type 'application/force-download';
    proxy_max_temp_file_size 0;
    proxy_pass https://***.amazonaws.com/***/$1;

My answer:

It looks like you’re proxying requests to S3, rather than serving pre-signed URLs with a normal redirect (e.g. 303), not an X-Accel-Redirect, which is what is usually done to make expiring links.

In your case, I expect that the Range request header is being dropped. You should make sure you pass the request headers from the browser onward to S3 with proxy_pass_request_headers on; in the location. Further, you probably should not have internal defined for that location.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.