Using Nginx and php to check permissions before uploading files

    Sometimes on the site there is a need to restrict access to certain files for various reasons (to distribute files only to authorized users, antilic, and so on). To solve this problem, you can use different approaches:

    1. Distribute files using a script in php (replace php with what you like more). With this approach, we pass the file name as a parameter to the script. The code checks all the conditions under which it is possible to gain access to this file and makes a decision to issue 404 or the requested file. This approach is suitable for small files, however, as the size of the given file increases, it will consume a lot of system resources, because the file will be read into memory and then given.
    2. Use some of the unobvious features of web servers.


    Consider the second option.
    It so happened historically that I started using nginx for reverse proxying. Rummaging through its documentation, I found that using this server, you can control the distribution of files by checking access rights immediately before uploading content.
    So let's get started.
    For nginx, I have an Apache, which processes requests for dynamic content, described something like this: First, we put our content in the selected directories. In my case, the site is located in / var / www , the protected content I posted in / var / www / protected . For this section, I added the following lines to the nginx configuration: Here root indicates where the site is. Internal directive
    location / {
    proxy_pass 127.0.0.1/;
    }



    location /protected {
    root /var/www;
    internal;
    }


    indicates that this area will be available only if nginx is redirected internally to the protected directory . Thus, even knowing the direct address of the resource on the server, we will receive 404 in response to our request.
    The first stage is completed, the content is not available through a direct link.
    However, under certain conditions, we still need to display this content. To do this, we bring the first location to the following form: Thus, all requests that try to pick up something from the download will be redirected to the download.php file. In this file, a decision will be made on allowing / denying user access to the file. The source code of the download.php file itself can be like this: $ path = $ _GET ["path"]; // some actions for checking access rights
    location / {
    rewrite ^/download/(.*) /download.php?path=$1 last;

    proxy_pass 127.0.0.1/;
    }




    header ("X-Accel-Redirect: / protected /". $ path);
    ?>

    If the user is allowed access to this file, then we send this header, otherwise we send him 404. After determining the access rights, php is completed. Next, nginx receives this header, performs an internal redirection, and begins to return the requested file to the user.

    Summary:
    This method, it seems to me, will consume much less system resources when giving away files for which rights should be checked.

    The basis for the article was material: blog.kovyrin.net/2006/11/01/nginx-x-accel-redirect-php-rails/lang/en
    Materials used: sysoev.ru/nginx/docs

    PS This article is not intended to be complete and cannot be considered as an instruction for setting up the nginx server. It deliberately omitted the points regarding compression, caching, and the like.

    Also popular now: