[ambdownload.git] / README

Download Server
===============

(c) 2012 Alex Bligh - Provided under the MIT Licence. See LICENCE file.

This download server provides reliable logged downloads over http. It is
intended to be used where:

A. A website (such as a Wordpress website) wants to offer a downlaod facility
   and record the downloads made. Let's call this the 'source website'.

B. The download should come from a different website (possibly because the
   source website is https and large downloads over http are resource
   consumptive). Let's call this the 'download web site'.

C. It is imperative that the download must be tracked by authenticated
   username, and by time and success.

The strategy used is as follows:

1. The source website contains a link to a download page, which appears
   to be on the source website, but in fact is redirect page.

2. The redirect page redirects to a dynamically constructed URL on
   on the download site. That URL is a URL for a CGI script with the
   following parameters:

     a) the file to be downloaded (or the name of a symlink to
        such a file).

     b) the id of the user against whom the download is to be logged.

     c) the UNIX time (since epoch)

     d) a hash of the above plus a shared secret

3. The download script checks the parameters, checks the time is
   within a few seconds, and checks the hash value. If these match, it
   serves the file, logging start, success and errors. The purpose of the
   time check is so that the URL can't realistically be distributed to
   others. The hash prevents tampering with the parameters.


INSTALLATION
============

httpd.conf.example contains an example httpd.conf for the downloads server

download.pl contains the script to go in the download directory on the
download server, and should be marked executable. In this example that
would be
  /var/www/server.example.com/download/download.pl

ambdownload.php is a Wordpress plugin which will can be installed in the
plugins directory in Wordpress, e.g. in
  wp-content/plugins/ambdownload/ambdownload.php
This allows setting of a custom meta on a page to turn it into a download
page. For instance, if you wished to make a page redirect to download
'myfile', set a custom meta key for that page named 'download_file'
to the value 'myfile'. You will need to enable this module once you have
installed it.

You should set the following meta keys:
    download_file - the tag of the file (see above)
    download_url - the base URL of the perl script, e.g
                 http://server.example.com/download/download.pl
    download_error - if set, redirects to this page if a user is not set

Note, to avoid having to muck around with Wordpress, myfile could be a symlink,
and the script will correctly name the downloaded file as per the target of the
symlink.

Running download.pl with two parameters, e.g.
   /var/www/server.example.com/download/download.pl 'myname@example.com' 'myfile'
will print out the URL to use to download 'myfile', logged as
'myname@example.com'

Your files to be downloaded should be put in
  /var/www/server.example.com/download/
These may be symlinks. The apache configuration will prevent them from being
downloaded directly.

Ensure both servers have a file
  /etc/apache2/download.secret
with some random textual data in. 32 random ASCII characters should be fine.
You can change this whenever you want, provided it's changed on both servers
simultaneously.

Logging will take place to
  /var/log/download.log
Ensure this file is created by you, and owned by the user running cgi scripts.
Usually this will do
  # >/var/log/download.log
  # chown www-data:www-data /var/log/download.log

You will need to do your own log rotation.