New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What techniques are used store media on a different server but only site viewers can download them
I want to store media files used on a website on a different server, but make sure only viewers on the main site can download them.
An idea that occured to me is to generate temporary symlinks to the files in the files URLs, and delete them after a timeout, and perhaps link them to a cookie as well.
Are the some standard techniques used for this? I want to do as little coding as possible. Something build directly into the web server will be better.
Comments
Have a look at ModSecDownload.
Maybe the simplest thing is using http referer, so you can prevent from hotlinking
On the main server, generate a random token for the URL. It doesn't even need the filename or anything in it. Store the token to filename mapping in a key-value store of your choosing (redis, memcached, even a plain old MySQL database would work). The download server needs some way to get the filename, given just the token. This makes redis a good choice - you can just run redis on the download server as well. When the request is made to the download server, look up the filename using the random token, serve the appropriate file, and delete the token from your key-value store. This essential makes each link 1-use only. If you want to further restrict the download, you could also store their IP address and validate that, or you could set a scheme where the token is deleted after a certain amount of time.
Serving static data from application (php, jsp) may cause serious problem on high traffic load. But you have higher level of granularity though.
My idea is to create a symlink to origin file and delete the symlink afterward. Less overhead to the server.
Welcome to the world of lazy tokenizing!
1) Generate UUID (64-256 bits)
2) Create symlink to file in pubshare directory (nginx / apache mod_proxy / varnish, pick one or all.)
3) Delete symlink at the end of the request, or after "somme timeout"
The problem with this approach is that you need to enable write-access, which you might not want in all cases.
There are a few ways you could do it, but the best is something like @HardCloud said - generate a unique ID on the main site and share it with the file server. From there, validate those IDs and use http://wiki.nginx.org/XSendfile to send the proper file. X-SendFile ensures that the only way they're going to get the file is by your application validating the id and sending the proper header to nginx.