Reputation: 13354
Secure static media access in a Django site
I'm building a site where registered users can upload files. Those files are then served via Apache. Only users who are logged in should be able to access those files.
I have read this page but it seems that people would have to log in twice to access both the site and the media, each time using a different type of login box.
Is there a way around this or is there some other way to limit access to static media served by Apache using the Django authentication database?
I'm using mod_python.
EDIT: How I ended up solving this after reading Van Gale's answer and this:
- Switched to WSGI.
- Installed mod_xsendfile
- Moved all public media files into a subfolder in /media/public
- Added access to the public folder using an Alias /media/public /var/www.../media/public
- Added WSGIScriptAlias /media/protected/ /var/www.../apache/django.wsgi (same handler as for the rest of the site)
- Added XSendFile On and XSendFileAllowAbove On
- To the Django app I added an urlconf for /media/protected which does basically what's here, only modified for my authentication system. It handles urls such as /media/protected/GROUP_ID/file so that only members of the GROUP can download the files.
Upvotes: 16
Views: 5562
Answers (2)
Reputation: 43932
The usual way to do this is to pass back a special header to the web server.
You can do it with nginx using x-accel-redirect as in this Django snippet.
For Apache, it should be pretty similar using the mod_xsendfile module (discussion and examples on Django users mailing list).
Upvotes: 11
Reputation: 18681
If you have freedom to switch from Apache to lighttpd, then the most straightforward solution would be to use mod_secdownload which would do exactly what you want, that is, provide application authentication while serving the actual files via web server.
However if you are stuck with Apache, then I suggest mod_auth_token, here they mention PHP but you can generate the token in Python or any other language. Using mod_auth_token you will be able to generate the token in your application, and then have web server serve the static file utilizing that token.
Upvotes: 2
Related Questions
- How to secure media files in django in poduction?
- How to authenticate django static file access?
- Django - Protecting Media files served with Apache with custom login_required decorator
- How do you Require Login for Media Files in Django
- Security issue with serving media files
- Security issues with serving static files through Django?
- Protecting static files from non logged in users in Django
- Django SSL cert and static media
- Serving static media in django application
- Django - serving and managing permissions for static content