Secure Downloads

I need to create a site which has downloadable files in a library. The
site will be accessed via username/password login done in the Rails app.
However, I need the actual downloadable files to be protected as well.

I'll be running the rails app on a mongrel cluster.

I've looked at using lighttpd as the web/proxy server and the
mod_secdownload module which looks nice. However, I'd rather *not* use
lighttpd is possible.

Ideally, I'd like to use Apache or nginx as the web/proxy server but the
lack a similar mod_secdownload module.

Does anybody have any recommendation on how to achieve protected
downloads without lighttpd or reverting to long random URLs (which is
not that secure).


~ Mark

You can use X-Sendfile with Apache to do this. The apache module is

There's a plugin to handle the Rails side at

With this approach, your Rails app handles the authentication, and
then Apache sends the file when Rails has said it is ok to do so.

Michael Slater

Many thanks Michael. I ended up using nginx's 'X-Accel-Redirect' feature
which is basically the same thing as Apache's x-sendfile. Perfect!