使用 curl 和 nginx 检查站点用户是否存在
[英]check the existence of a site user using curl and nginx
问题描述
On my site, registered users, after logging in, have the possibility to download files with the curl command, ie
在我的网站上,注册用户登录后,可以使用 curl 命令下载文件,即
curl -O https://example.com /assets/file/test.txt
I would like to somehow avoid that the user not logged in or deleted still has the possibility to download the file by running the command again or by going directly to the address from the browser.我想以某种方式避免未登录或删除的用户仍然有可能通过再次运行命令或直接从浏览器转到地址来下载文件。
I use Nginx as web server.我使用 Nginx 作为网络服务器。
Is it possible to block access to the user that no longer exists or is no longer logged in?是否可以阻止对不再存在或不再登录的用户的访问?
I had thought about the possibility of doing something like this:我曾考虑过做这样的事情的可能性:
curl -u {{user.id}}:{{unique_value}} https://example.com/assets/file/test.txt
or或者
curl -O https://example.com/assets/file/test.txt?param={{unique_value}}
But I don't know how to verify the existence of the user, and if it is possible to do so, with nginx or some other tool.但我不知道如何验证用户的存在,如果可以,使用 nginx 或其他一些工具。
I tried using cookie control with Nginx, but as far as I know it is easy to circumvent.我尝试在 Nginx 中使用 cookie 控制,但据我所知很容易规避。
1 个解决方案
解决方案1
0 已采纳 2020-03-15 13:34:55
yeah you can use http basic auth to restrict file access to authorized people, per the documentation at https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/是的,根据https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ 上的文档,您可以使用 http 基本身份验证来限制对授权人员的文件访问
touch /etc/nginx/users.htpasswd;
htpasswd /etc/nginx/users.htpasswd user1 'password';
followed by其次是
server {
listen 80;
listen [::]:80
location /assets{
root /wherever/assets/..;
auth_basic "assets";
auth_basic_user_file /etc/nginx/users.htpasswd;
}
}
now only curl -u user1:password1 can download files in /assets/现在只有curl -u user1:password1可以下载 /assets/ 中的文件
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.