Re: Protecting Static Media from Unauthorized Users
Thanks, I think this exactly what I need. -Dilan On Apr 14, 9:06 pm, Chris Moffitt wrote: > What you want to use is x-sendfile or one of it's variants depending on your > server. > > Here's the Nginx page -http://wiki.nginx.org/NginxXSendfile > > Here's where we use it in Satchmo for securing downloadable > files:http://www.bitbucket.org/chris1610/satchmo/src/tip/satchmo/apps/satch... > > -Chris > > On Wed, Apr 14, 2010 at 7:06 PM, Dilan wrote: > > Hi, > > > I know this isn't a completely django-based question but I thought > > someone might have an idea, whether it uses Django or not. > > > I am currently using what seems to be the typical django server, which > > has nginx has a front-end that handles static media while proxying all > > other requests to apache. The site I am designing has a lot of plans > > for hosting static media, but it only wants certain users to be able > > to see that media. > > > As an example, think of a photo album site. I want people to be able > > to upload and store their files, but that no one else should be able > > to seem them. Since they are images, it seems I would use nginx to > > deal with the request for any image that is supposed to be displayed. > > The problem I have is that in this method, if someone identifies the > > URL associated with the image, they can send that URL to anyone and > > they could also access that image (since the response is through nginx > > and not apache/django). > > > I know this might not seem like a big deal, but for the group I am > > working for they only want logged-in users to be able to access these > > types of files. > > > I have been doing some research, and it seems the most common method > > is to obfuscate the URLs used for these static media to make it > > extremely difficult to identify. Preferably, I can still obfuscate the > > URL, but I still want it if someone tried to directly visit the media > > url, they would get an error message or say they are not authorized to > > view that image. > > > Another approach that I was suggest but am not found of is storing > > these type of files in database. Specifically, in my case, most of my > > files are text-based and could be stored in the database. However, > > while I am not an expert on databases, I feel that doing this would be > > a significantly slow and space consuming method. > > > -Dilan > > > -- > > You received this message because you are subscribed to the Google Groups > > "Django users" group. > > To post to this group, send email to django-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > django-users+unsubscr...@googlegroups.com > > . > > For more options, visit this group at > >http://groups.google.com/group/django-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Protecting Static Media from Unauthorized Users
What you want to use is x-sendfile or one of it's variants depending on your server. Here's the Nginx page - http://wiki.nginx.org/NginxXSendfile Here's where we use it in Satchmo for securing downloadable files: http://www.bitbucket.org/chris1610/satchmo/src/tip/satchmo/apps/satchmo_store/shop/views/download.py#cl-58 -Chris On Wed, Apr 14, 2010 at 7:06 PM, Dilan wrote: > Hi, > > I know this isn't a completely django-based question but I thought > someone might have an idea, whether it uses Django or not. > > I am currently using what seems to be the typical django server, which > has nginx has a front-end that handles static media while proxying all > other requests to apache. The site I am designing has a lot of plans > for hosting static media, but it only wants certain users to be able > to see that media. > > As an example, think of a photo album site. I want people to be able > to upload and store their files, but that no one else should be able > to seem them. Since they are images, it seems I would use nginx to > deal with the request for any image that is supposed to be displayed. > The problem I have is that in this method, if someone identifies the > URL associated with the image, they can send that URL to anyone and > they could also access that image (since the response is through nginx > and not apache/django). > > I know this might not seem like a big deal, but for the group I am > working for they only want logged-in users to be able to access these > types of files. > > I have been doing some research, and it seems the most common method > is to obfuscate the URLs used for these static media to make it > extremely difficult to identify. Preferably, I can still obfuscate the > URL, but I still want it if someone tried to directly visit the media > url, they would get an error message or say they are not authorized to > view that image. > > Another approach that I was suggest but am not found of is storing > these type of files in database. Specifically, in my case, most of my > files are text-based and could be stored in the database. However, > while I am not an expert on databases, I feel that doing this would be > a significantly slow and space consuming method. > > -Dilan > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-us...@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com > . > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Protecting Static Media from Unauthorized Users
Hi, I know this isn't a completely django-based question but I thought someone might have an idea, whether it uses Django or not. I am currently using what seems to be the typical django server, which has nginx has a front-end that handles static media while proxying all other requests to apache. The site I am designing has a lot of plans for hosting static media, but it only wants certain users to be able to see that media. As an example, think of a photo album site. I want people to be able to upload and store their files, but that no one else should be able to seem them. Since they are images, it seems I would use nginx to deal with the request for any image that is supposed to be displayed. The problem I have is that in this method, if someone identifies the URL associated with the image, they can send that URL to anyone and they could also access that image (since the response is through nginx and not apache/django). I know this might not seem like a big deal, but for the group I am working for they only want logged-in users to be able to access these types of files. I have been doing some research, and it seems the most common method is to obfuscate the URLs used for these static media to make it extremely difficult to identify. Preferably, I can still obfuscate the URL, but I still want it if someone tried to directly visit the media url, they would get an error message or say they are not authorized to view that image. Another approach that I was suggest but am not found of is storing these type of files in database. Specifically, in my case, most of my files are text-based and could be stored in the database. However, while I am not an expert on databases, I feel that doing this would be a significantly slow and space consuming method. -Dilan -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
