Static File Hack Updated For Members

In 2018 and 2015 there were articles published for how to serve static files. I wanted to do the same, for my free (and hopefully one day soon paid) members.

For self-ghosters, Nginx can read the ghost cookies to serve files if a member is logged in. However, the cookie name contains dashes. There’s a little trick to map it to a variable Nginx can read.

  1. In your conf file: nano /etc/nginx/sites-enabled/ghost add the following above the server { }

map $http_cookie $ghostly_cookie {
default 0;
“~ghost-members-ssr.sig=(?[^;]+)” $mc;
2. Create your folder under /var/www/ghost/[your folder name]

  1. Under the other location entry add:
    location /media/ {
    if ($ghostly_cookie = 0) {return 401;}
    alias /var/www/ghost/[your folder name]/;

Here are the blog and stack overflow sources for reading cookies with special characters:

Now, I’m working on creating a custom error message for 401 (unauthorized).

Bare in mind that this does not check if the cookie is valid, just that it exists - so it would be trivial to get around this by setting cookies with arbitrary content so long as it has the correct name!


To be clear this was not meant to model a secure system.

The ghost cookies are passed to nginx automatically, so I was curious to see if I could track them. It was a fun little project.

If anyone has any ideas on how to expand this into a secure system, that would really cool. I’d be happy to test it out.

If a non-member tries to download, then they will receive the nginx error page. Haven’t figured out how to route it back through ghost.