简体繁体 English

限制对Django / Nginx中静态文件的访问

[英]Restricting access to static files in Django/Nginx

原文 2012-03-21 18:25:21 2 3 django/ security/ nginx

I am building a system that allows users to generate a documents and then download them. 我正在构建一个系统，该系统允许用户生成文档，然后下载它们。 The documents are PDFs (not that it matters for the sake of this question) and when they are generated I store them on my local file system that the web server is running on with uuid file names 这些文档是PDF（对于此问题而言，并不重要），并且在生成它们时，我将它们存储在本地服务器上运行的Web服务器上的本地文件系统中，并带有uuid文件名。

c7d43358-7532-4812-b828-b10b26694f0f.pdf c7d43358-7532-4812-b828-b10b26694f0f.pdf

but I know "security through obscurity" is not the right solution ... 但我知道“模糊不清的安全性”不是正确的解决方案...

I want to restrict access to they files on a per account basis if possible. 如果可能，我想限制每个帐户对它们文件的访问。 One thing I think I could do is upload them to S3 and provide a signed URL, but I want to avoid that for now if possible. 我想我可以做的一件事是将它们上传到S3并提供一个已签名的URL，但是如果可能的话，我现在暂时避免这样做。

I am using Nginx/Django/Gunicorn/EC2/S3 我正在使用Nginx / Django / Gunicorn / EC2 / S3

What are some other solutions? 还有哪些其他解决方案？

3 个解决方案

If you are serving small files, you can indeed use Django to serve them directly, writing the file into the HttpResponse object. 如果要提供小文件，则确实可以使用Django直接提供它们，并将文件写入HttpResponse对象。

If you're serving large files however, you might want to leave that task to your webserver, you can use the X-Accel-Redirect header on Nginx (and X-Sendfile for Apache & Lighttpd) to have your webserver serve the file for you. 但是，如果要提供大文件，则可能需要将该任务留给Web服务器，可以使用Nginx上的X-Accel-Redirect标头（对于Apache和Lighttpd，则使用X-Sendfile ）使Web服务器为以下文件提供文件：您。

You can find more information about the header itself in Nginx's documentation here , and you could find some inspiration as to how to use that in Django here . 您可以在Nginx的文档中找到有关标头本身的更多信息，并在此处找到有关如何在Django中使用标头的一些启发。

Once you're done sending files through Django views, enforcing user authentication should be pretty straightfoward using Django's auth framework. 通过Django视图完成文件发送后，使用Django的auth框架强制执行用户身份验证应该很简单。

How about enforcing user==owner at the view level, preventing access to the files, storing them as FileFields, and only retrieving the file if that condition is met. 如何在视图级别强制执行user==owner ，如何防止访问文件，将它们存储为FileField，以及仅在满足该条件的情况下才检索文件。

eg You could use the @login_required decorator on the view to allow access only if logged in. This could be refined using request.user to check against the owner of the file. 例如，您可以在视图上使用@login_required 装饰器以仅在登录时才允许访问。可以使用request.user进行细化，以检查文件的所有者。 The User Auth section of the Django documentation is likely to be helpful here. Django文档的 “用户身份验证”部分在这里可能会有所帮助。

The other option, as you mention is via S3 itself, generating urls within Django which have a querystring allowing an authenticated user access to download a particular s3 object with a time limit. 正如您所提到的，另一个选择是通过S3本身，它在Django中生成带有查询字符串的URL，这些字符串允许经过身份验证的用户访问带有时间限制的特定S3对象。 Details on that can be found at the s3 documentation . 有关详细信息，请参见s3文档。 A similar question has been asked before here on SO. 类似的问题已经被问过这里的SO。