login community faq

Serving protected static files

0
2

Hi there!

I already posted this question in the forum, but since I could not figure out a solution yet, I thought I might try it again...

GOAL: I want to serve protected static files from Django, so that I can assure, that only users that are logged in can access the files.

EDIT:

As I could not find a solution using the below mentioned setting, I looked at johns suggestion again... However it says

"Support for mod_python has been deprecated within Django. At that time, this method of authentication will no longer be provided by Django."

Though I could still make it work, it does not look like the way you should do it... Any other suggestions? What is the best way to reach the mentioned goal?

CURRENT SETTING:

1) Passenger/Nginx: I installed the passenger application and configured nginx like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
worker_processes  2;

events {
    worker_connections  1024;
}

http {
    sendfile        on;
    server {
                listen             <port>;
                server_name        <user>.webfactional.com;

        location /files/ {
                        internal;
                        alias /home/<user>/files/;
                }
        }
}

2) In the Webfaction panel I edit my site so that „/protected“ leads to the passenger app.

3) In django I try to access the files with the following code:

1
2
3
4
5
6
@login_required
def download(request):
    response = HttpResponse()
    response['Content-Type'] = 'application/octet-stream'
    response['X-Accel-Redirect'] = '/protected/files/somefile.txt'
    return response

PROBLEM: As long as I leave the „internal“ in the nginx configuration, I cannot access the files (Nginx shows a 404). However, without the interal it works (that means the path should be correct).

Is the request from the django app not handled as "internal"? Or does anyone see what the problem could be?

Thanks for your help!!!

asked Oct 26 '10 at 15:13

niklas1080's gravatar image

niklas1080
1616

edited Nov 13 '10 at 14:54

Just for your information why I try it that way:

http://rocketscience.itteco.org/tag/x-sendfile/?

http://blog.zacharyvoase.com/2009/09/08/sendfile/

http://wiki.nginx.org/NginxXSendfile

(Oct 30 '10 at 05:21) niklas1080 niklas1080's gravatar image

You have to keep in mind, if you get this working for internal requests only, you will not be able to guarantee that only your users can access the files. If another user on the server makes a request to 127.0.0.1:<your_port>, your nginx will see it as internal and return your "protected" file.

In regards to mod_python, you would use mod_wsgi instead.

(Nov 13 '10 at 15:12) aaronh ♦♦ aaronh's gravatar image
2 Answers:
oldestnewestmost voted
1

Not sure if you have thought about using apache to serve the files. This seems to be the supported way to do this,

http://docs.djangoproject.com/en/dev/howto/apache-auth/

You would have to replace your current deployment with one of our pre-built apache stacks and make the appropriate changes.

answered Oct 26 '10 at 17:12

johns's gravatar image

johns ♦♦
345427

Thanks for your help! But in this case I deliberately chose to use nginx and thus I would like to know how this could work with that setting.

Btw, what I try to do with X-Accel-Redirect w/ Nginx is basically the same method as X-Sendfile w/ Apache...

(Oct 27 '10 at 02:01) niklas1080 niklas1080's gravatar image
0

Hi,

The request would definitely not be an "internal" request. It would be just a normal HTTP request to the URL.

You did say it works without the "internal" directory, correct?

answered Oct 27 '10 at 03:16

klynton's gravatar image

klynton ♦♦
149128

Yes you can confirm that with: http://wiki.nginx.org/NginxHttpCoreModule#internal

That would definitely not constitute a internal request. I still recommend John's solution as yours would be more resource intensive since you are just running an Nginx for protecting static files+your existing django+apache app, while in John's solution its just your apache instance.

Hope that helps!

(Oct 27 '10 at 03:39) neeravk ♦♦ neeravk's gravatar image

Thanks again for your comments!

I will definitely have a look at John's solution, however I am still interested in how to get it working the way I suggested it.

And yes, it does work without declaring the directory "internal"... So any ideas how I could make an internal request?

(Oct 30 '10 at 05:23) niklas1080 niklas1080's gravatar image

Short answer: You cannot make an internal request because it will use HTTP instead of 127.0.0.1:PORT_NUMBER.

You can make an internal request while being logged into the server.

(Nov 02 '10 at 22:19) klynton ♦♦ klynton's gravatar image

Would the proxy module solve it? http://wiki.nginx.org/NginxHttpProxyModule

(Nov 03 '10 at 17:34) lamusoftware lamusoftware's gravatar image

Hi,

No, that won't solve the problem because it is being proxied through our frontend nginx. You may be able to do it by getting a dedicated IP address ($5/month) and having us open a hole in the firewall to allow a direct connection to the IPaddress:PORT_NUMBER. Then if you can restrict "internal" to mean coming from that same IP address it should work.

It is kind of a big work around, though.

(Nov 03 '10 at 18:03) klynton ♦♦ klynton's gravatar image
Your answer
If you have an answer to the above question, then use the form below. Otherwise, use the appropriate 'add new comment' button above to post your feedback.
toggle preview

Plans & prices    Sign up    Why WebFaction?    Contact us    Affiliate program    Support    Legal    Jobs    Blog    Control panel login
Powered by OSQA
© Copyright 2003-2012 Swarma Limited - WebFaction is a service of Swarma Limited