WebFaction
Community site: login faq
0
2

Hi there!

I already posted this question in the forum, but since I could not figure out a solution yet, I thought I might try it again...

GOAL: I want to serve protected static files from Django, so that I can assure, that only users that are logged in can access the files.


EDIT:

As I could not find a solution using the below mentioned setting, I looked at johns suggestion again... However it says

"Support for mod_python has been deprecated within Django. At that time, this method of authentication will no longer be provided by Django."

Though I could still make it work, it does not look like the way you should do it... Any other suggestions? What is the best way to reach the mentioned goal?


CURRENT SETTING:

1) Passenger/Nginx: I installed the passenger application and configured nginx like this:

worker_processes  2;

events {
    worker_connections  1024;
}

http {
    sendfile        on;
    server {
                listen             <port>;
                server_name        <user>.webfactional.com;

        location /files/ {
                        internal;
                        alias /home/<user>/files/;
                }
        }
}

2) In the Webfaction panel I edit my site so that „/protected“ leads to the passenger app.

3) In django I try to access the files with the following code:

@login_required
def download(request):
    response = HttpResponse()
    response['Content-Type'] = 'application/octet-stream'
    response['X-Accel-Redirect'] = '/protected/files/somefile.txt'
    return response

PROBLEM: As long as I leave the „internal“ in the nginx configuration, I cannot access the files (Nginx shows a 404). However, without the interal it works (that means the path should be correct).

Is the request from the django app not handled as "internal"? Or does anyone see what the problem could be?

Thanks for your help!!!

asked 26 Oct '10, 15:13

niklas1080
16126
accept rate: 0%

edited 13 Nov '10, 14:54

Just for your information why I try it that way:

http://rocketscience.itteco.org/tag/x-sendfile/?

http://blog.zacharyvoase.com/2009/09/08/sendfile/

http://wiki.nginx.org/NginxXSendfile

(30 Oct '10, 05:21) niklas1080

You have to keep in mind, if you get this working for internal requests only, you will not be able to guarantee that only your users can access the files. If another user on the server makes a request to 127.0.0.1:<your_port>, your nginx will see it as internal and return your "protected" file.

In regards to mod_python, you would use mod_wsgi instead.

(13 Nov '10, 15:12) aaronh ♦♦

Not sure if you have thought about using apache to serve the files. This seems to be the supported way to do this,

http://docs.djangoproject.com/en/dev/howto/apache-auth/

You would have to replace your current deployment with one of our pre-built apache stacks and make the appropriate changes.

permanent link

answered 26 Oct '10, 17:12

johns
5.3k312
accept rate: 23%

Thanks for your help! But in this case I deliberately chose to use nginx and thus I would like to know how this could work with that setting.

Btw, what I try to do with X-Accel-Redirect w/ Nginx is basically the same method as X-Sendfile w/ Apache...

(27 Oct '10, 02:01) niklas1080

Hi,

The request would definitely not be an "internal" request. It would be just a normal HTTP request to the URL.

You did say it works without the "internal" directory, correct?

permanent link

answered 27 Oct '10, 03:16

klynton
1.6k1210
accept rate: 41%

Yes you can confirm that with: http://wiki.nginx.org/NginxHttpCoreModule#internal

That would definitely not constitute a internal request. I still recommend John's solution as yours would be more resource intensive since you are just running an Nginx for protecting static files+your existing django+apache app, while in John's solution its just your apache instance.

Hope that helps!

(27 Oct '10, 03:39) neeravk

Thanks again for your comments!

I will definitely have a look at John's solution, however I am still interested in how to get it working the way I suggested it.

And yes, it does work without declaring the directory "internal"... So any ideas how I could make an internal request?

(30 Oct '10, 05:23) niklas1080

Short answer: You cannot make an internal request because it will use HTTP instead of 127.0.0.1:PORT_NUMBER.

You can make an internal request while being logged into the server.

(02 Nov '10, 22:19) klynton

Would the proxy module solve it? http://wiki.nginx.org/NginxHttpProxyModule

(03 Nov '10, 17:34) lamusoftware

Hi,

No, that won't solve the problem because it is being proxied through our frontend nginx. You may be able to do it by getting a dedicated IP address ($5/month) and having us open a hole in the firewall to allow a direct connection to the IPaddress:PORT_NUMBER. Then if you can restrict "internal" to mean coming from that same IP address it should work.

It is kind of a big work around, though.

(03 Nov '10, 18:03) klynton
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×909
×186
×125
×3
×2

question asked: 26 Oct '10, 15:13

question was seen: 5,283 times

last updated: 13 Nov '10, 15:12

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM