使用 Dokku 制作 Django 用户上传的媒体文件

Question

I would like to serve user uploaded media files using nginx on the same host as the Django application rather than a CDN or S3 or similar.

The django-private-storage library can be used to protect media files behind a login: https://github.com/edoburu/django-private-storage

I am deploying my Django application with Dokku.

Dokku says that dokku persistant storage plugin should be used to allow for user uploads to be persisted on the host. https://dokku.com/docs~v0.9.2/advanced-usage/persistent-storage/

My confusion is that django-private-storage requires you to edit the config for nginx. Specifically, it requires you to set the location of the private media being served to be internal. So that the URL cannot be accessed from the outside by a user who isn't logged in.

The dokku docs don't explain how to use persistant storage behind an application login. Do I actually need django-persistant-storage to be able to write user uploaded media?

How can I combine these solutions so that my application, which is inside a container, can read and write media files, which media files are served by nginx, and served at an internal location that can only be accessed by a user who is logged into the application?

Updates (Oct 2021) I am able to deploy my app, upload files and access them at the appropriate URL. But I haven't been able to protect them against unauthenticated access.

I haven't yet used django-private-storage or dokku persistant storage. Once the files are inaccessible I plan to follow these steps to allow authenticated access: https://b0uh.github.io/protect-django-media-files-per-user-basis-with-nginx.html

I created a file my_conf.conf saved to /home/dokku/backend/nginx.conf.d

which contains

location /protected/ {
    internal;
    alias /home/dokku/backend/;
}

and then rebooted Nginx

I can't actually see the images anywhere on host, but if I run dokku enter backend then my files are there in the container under '/mediafiles/testuploads/'

Here is settings.py

MEDIA_ROOT = os.path.join(BASE_DIR, 'mediafiles')
MEDIA_URL = '/media/'

and models.py

class User(AbstractUser):
    profile_image = models.ImageField(upload_to='testuploads/', null=True)

Answer 1

Let's do it by yourself!

You can serve your profile images with your custom view that checks auth!

You may implement the needed feature without additional dependencies. As a bonus, you will understand the whole process.

So, you need to:

1. Add a path, something like /profiles/<int:user_id>/image/ in your urls.py
2. Use this link with a proper user_id in your front-end (change a needed template)
3. Write a class-based or function-based view for this endpoint, as usual, check the user_id parameter, check the auth in request, compare user in request with the user in the user instance and maybe something else.
4. Response with 401 Not Authorized when you have an unauthorized request.
5. Response with FileResponse in OK.

from django.http import FileResponse
response = FileResponse(open('myfile.png', 'rb'))

use your user.profile_image property

Theoretically, if the user doesn't know the old path to /media/testuploads/filename.ext this file is " not shared ".

But if you want to be sure - don't serve /media/ folder with NGINX or exactly /media/testuploads/ path if you want to serve another media files ( return 401 https://$host$request_uri; in NGINX config in the needed block). Such changes need NGINX to be reloaded.

Watch view caching in the next seasons 😀 to improve the performance. But the browser will cache the image if it works in default settings.