Hi,

I need to make files (~500MB each) available for download. FTP is not an option, neither is using Dropbox or something similar. I've setup Apache2 (on Debian) and have placed the files in /var/www and have sent the links for download to the users. There isn't going to be much concurrency, there will be 10 downloads going on at the same time at most.

I am hoping to hear your thoughts on this.

• Is this a reliable solution?

• Is there anything i should be worrying about related to security? (The Apache server is only accessible via LAN/WAN and not accessible via the Internet, i have disabled server signature,directory listing based google results on securing Apache)

• How would this setup respond to people using download managers?

• How do i enable support for the user to pause and resume the downloads?

• Is there anything i am missing in this setup?

• Is there a better way to make files available over http?

• Should i make any additional configurations to ensure reliable data transmission over long distances, some of the users are not in the same LAN as the Apache server?

Hoping to hear on this from the learned members of this forum.

Cheers!

For starters it would be a lot easier to use a torrent

something like "Oneswarm" would be a good option
a P2P option would be good for this

but if you want to go to the trouble of setting up apache and BUYING $$$ a domain
or using something like "no-ip.com"
start by studying the apache documents
-- yes studying like for a final exam that you MUST pass with a 4.0
http://httpd.apache.org/docs/2.4/

if this is only going to about 10 people then you DO NOT want the whole internet to have access to the files
this requires you to lock it down and use "Authentication " like a username and password or locking out EVERY ip address EXCEPT the ones you want to have access

-- a lot of work ---

1 members found this post helpful.

I agree with this assessment. In addition I'd like to add you should use signed SSL certificates on top of it. You can run your own certificate authority and distribute the CA cert to your friends to trust. From there, SSL communication to your server can be verified. I used this tutorial to be my own certificate authority. If you prefer to go a more graphical route you can manage certificate authority certificates and signed certificates using xca.

Auth+SSL should always be your default option. I also agree that for so few users it would be more useful for you to run your own tracker and provide them with a torrent for P2P download.

1 members found this post helpful.

WHY can't you use Dropbox or FTP?
Sure, but for ten users, I think it's overkill.
If these people are coming in over the Internet, then you will obviously have your server exposed to the Internet on that port. Anytime you do that, you SHOULD worry about security.
Should be just fine, and I've never encountered any problems with download managers requiring special setups before.
Nothing you CAN do to make Internet transmissions more reliable. Once it leaves your server, you have ZERO control over it. Also, be aware that the speed of your Internet connection is going to be your bottleneck.

Personally, I'd use Google Drive, and set up a private partition that you need user ID/password for, and shovel your files up to it. There are Google Drive clients for Windows, Mac, Android, iOS, and Linux.

1 members found this post helpful.

Thank you John VV, Sag47, TB0ne for your replies.

The apache server is accessible only via Private IP (all users are on a corporate WAN).

I am using a web server because it is the only service that the security guys allow in/out of the corporate firewall. I've got the security guys to limit the people who can access the IP hosting apache. Do I still need SSL? I don't want to use Dropbox due to nature of the data involved.

There is packet loss of 3-6% to the farthest user(>1K Miles away), I'll post back if this caused issues.

Right now I am trying to track successful downloads by keeping an eye on the access logs, is this the right way?

Thanks again for your replies.

for the access logs there is a very nice perl tool called "Awstats "
http://awstats.sourceforge.net/

unless you have access to something like this already

now if you are using the Apache from the apache foundation ( and built it and installed it manually )
then the default /var/www/httpd.conf file is VERY VERY well documented
90% of it is the notes on that config file

i take it you do not need a CMS ,but just a folder directory
like this example ( a site i use a lot )
http://pds-imaging.jpl.nasa.gov/data...e_orbiter/ctx/

http://httpd.apache.org/docs/2.4/mod...html#directory
see the part on " Options Indexes "
a snippet for the httpd.conf

where "/var/www/files" is where the downloads are
this could be the ROOT directory or not
it could be the "Public_html" folder in your HOME folder
the "allow from" is a space separated list of allowed ip addresses

but STUDY the documentation

Well it depends on how secure the files need to be and how they're traveling. Sure the source IP is restricted from accessing the server but there's no way to restrict someone from pulling data off of the wire while in transit (i.e. packet capturing). I guess it highly depends on what layers of security you have for transport other than SSL. Remember, layers are supposed to be supplemental (no such thing as one size fits all and all security is assumed to by 'by-passable' one way or another). You just make it harder by adding layers.

So it depends on the nature of the data and how your coworkers are accessing it. If in doubt, use SSL, especially when credentials are involved because people tend to use the same password everywhere. It's not good to assume it's secure just because it's inside your corporate network. I manage a large number of internal corporate services for a University and all of those services are encrypted with top level signed certificates after being restricted to internal networks only. We assume our 'corporate' network is a hostile environment which you should too. You never know when a company computer is infected with malware and trying to access everything it can grasp or even a disgruntled employee (or student in my case) trying to do damage.

Since others have added config recommendations I will pitch in. Over the years I've seen different ciphers compromised and other people make recommendations on the internet and so here's a config for trying to limit weak ciphers from being used.
Here is the CipherSuite values explained.

You should also disable compression over http because it has recently been found as a vulnerability in SSL.

SAM

1 members found this post helpful.