Authentication/access check when serving static media thru Apache/nginx

[MrMuffin]

I`m using django to develop something similar to flickr, a site for
photo-sharing. Photos can be public, need authentication or be
personal and not available for anyone but the owner. Serving static
data using django is not optimal, but how can I control access like
this when serving static media using apache or nginx?

Thanks in advance.

[Ales Zoulek]

You can write apache auth module in python, which is calling your
external (django) code.

It's not exactly Django issue. Maybe this blog post could help you

http://www.thoughtspark.org/node/25


A.

--
------------------------------------------------------
Ales Zoulek
+420 604 332 515
Jabber: ales....@gmail.com
------------------------------------------------------

[prote...@gmail.com]

The way to do this is by utilizing nginx as a reverse proxy for your
dynamic django (presumably apache) server and a peer media server
(presumably another nginx setup). Nginx has a great feature (as does
lighttpd) where you can have your page request come into django and
perform all the authN/authZ checks needed for your static content but
redirect the request to the static media server once approved.

Let's say you have a user profile with pictures and want the user to
have find grained privacy control on his pictures.
1. request for user profile comes into nginx proxy.
2. nginx proxy fwds request to django server which determines which
pics are appropriate to view (authorized) of that profile for the
logged in user.
3. the django server, rather than returning static links to the media
server, populates a field X-Accel-Redirect that points to the static
content on the media server.
4. nginx proxy sees the X-Accel-Redirect contents and resubmits the
request to the media server and returns its content instead of the
content from the django server.
5. user gets only the static content that the django server authorized
yet the load for the transfer is moved to the media server.

Good luck,

-- Ben

[Graham Dumpleton]

On Feb 16, 9:53 pm, "proteus...@gmail.com" <proteus...@gmail.com>
wrote:

> The way to do this is by utilizing nginx as a reverse proxy for your
> dynamic django (presumably apache) server and a peer media server
> (presumably another nginx setup). Nginx has a great feature (as does
> lighttpd) where you can have your page request come into django and
> perform all the authN/authZ checks needed for your static content but
> redirect the request to the static media server once approved.
>
> Let's say you have a user profile with pictures and want the user to
> have find grained privacy control on his pictures.
> 1. request for user profile comes into nginx proxy.
> 2. nginx proxy fwds request to django server which determines which
> pics are appropriate to view (authorized) of that profile for the
> logged in user.
> 3. the django server, rather than returning static links to the media
> server, populates a field X-Accel-Redirect that points to the static
> content on the media server.
> 4. nginx proxy sees the X-Accel-Redirect contents and resubmits the
> request to the media server and returns its content instead of the
> content from the django server.
> 5. user gets only the static content that the django server authorized
> yet the load for the transfer is moved to the media server.

Also look at nginx X-Sendfile header. This is possibly better as you
don't need to have a URL which maps to the file. The Django
application can just set X-Sendfile with location of file being where
ever it wants, which would include being outside of any directories
that nginx had been set up to otherwise serve.

Graham