Django S3 private storage

Question

Users in my django project can upload pdf files to a private storage. It is done using django-private-storage package - when user makes a request to get a file, django checks permissions on that and then adds x-sendfile header so apache would serve the file.

Now I am trying to move all that to S3 storage. I can't seem to understand how to do that. Most info that I found on the internet is telling me to put private files in a private bucket and then serve expiring links. I don't like the expiring links and I don't want to expose any S3 links. One-shot links would be fine, maybe.

Is there any way to serve files without exposing any direct S3 links and without using expiring links? Am I missing something?

Answer 1

I ended up using this: X-Accel-Redirect

So, files are available for users by paths like mysite.com/data/my_file.pdf

Django expects user to send GET request with auth token attached, checks it and adds X-Accel-Redirect and S3 auth headers to response. Nginx (in my case) catches that header and serves the file from S3 by redirecting request with attached headers to my S3 storage host.

Answer 2

The "expiring links" are S3 signed URLs that are valid for a period you can define with your request, and should be what you're indeed looking for.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html

Using pre-signed URLs for the client's access to files like that should be no security issue if you made sure the permissions of the files in your bucket are private.

Though, if you really wish and after measuring the impact on your bandwidth, you could proxy the file transfer through your django app so that the S3 bucket url is not sent client side.