On 25 January 2011 03:06, Jason Stelzer <[email protected]> wrote:
> I have a scenario that is probably pretty common.
>
> I have a set of static files that I would like to restrict access to.
> The only real restriction is that people who are not logged in to my
> application should not be able to download these files. I'm using a
> python 2.6, django 1.2 and apache 2.2.
>
> To achieve this, I'm starting to look at the info here:
> http://code.google.com/p/modwsgi/wiki/FileWrapperExtension
>
> I have also started to read up on the posts about wsgi.file_wrapper
> talked about here:
> http://blog.dscpl.com.au/search/label/mod_wsgi
>
> My questions come down to this:
>
> Am I on the right track?
>
> My content is logically grouped like this:
> /media/<section1>
> /media/<section2>
> /media/section3>
>
> If i were to want to restrict access to one (or more) of the
> sub-sections, I am thinking that I could create a mapping in my
> urls.py that corresponds to the correct section and let my
> wsgi.file_wrapper handle it. Is this a correct assumption?
>
> It would be convenient if the file wrapper were a part of my
> application since it's essentially looking for a valid http session to
> see if a user is 'logged in' or not. Any special caveats I need to be
> mindful of?
>
> Thanks for any tips/pointers. I'm quite new to python/wsgi so if these
> questions are in a faq I have not yet read a url would be both
> appreciated and sufficient.
You have a number of options.
1. wsgi.file_wrapper which you know about already. Works for embedded
mode or daemon mode. In mod_wsgi 3.X the optimised method isn't used
for daemon mode however. In mod_wsgi 4.0 the optimised method will be
off by default for both embedded mode or daemon mode, and will need to
be switched on for it to work, although it will not be possible to
switch it on for daemon mode. Anyway, that is not really relevant, you
use wsgi.file_wrapper regardless and if it can optimise deliver of
file further, it will.
2. Use X-Sendfile header in conjunction with mod_sendfile modules for
Apache, or nginx if nginx is used as front end to Apache.
3. Use X-Accel-Redirect header in conjunction with nginx used as front
end to Apache. Support for that is built into nginx and no separate
module for nginx needed.
4. Use 200 status response and Location header when using mod_wsgi
daemon mode. This acts like Location header when using CGI scripts
with Apache. In other words, an internal redirect is done within
Apache to the URL specified by the Location header. Because Apache
doesn't have a concept of private URL namespace like nginx does, and
as would be used with X-Accel-Redirect for private static media, you
need to use a rewrite rule to protect the static media using this
Location header with Apache. Thus for each protected URL you would
have:
Alias /media/<section1> /some/directory/<section1>
<Directory some/directory/<section2>>
Order allow,deny
Allow from all
</Directory>
RewriteCond %{IS_SUBREQ} false
RewriteRule ^/media/<section1> - [F]
The rewrite rule ensures that the files at mapped URL are not
accessible unless mapped to by a sub request (internal redirect)
within Apache.
BTW, also see:
http://code.djangoproject.com/ticket/2131
I am not sure how that is progressing or whether it even ended up
doing it in a sane way.
You can see my description of the options, similar to above, at:
http://code.djangoproject.com/ticket/2131#comment:29
Graham
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
