Secure file access on the nginx way

al-gallery3

Joined: 2013-06-09
Posts: 1

Posted: Mon, 2013-06-10 11:13

Dear Forum-Readers.

I'am new to gallery3, so if I have the wrong forum please redirect me to
the right one, thanks.

Due to the fact that nginx does not handle the .htaccess files I wanted to
solve the 'direct access to files' on the nginx way.

This means to use the performance benefits of nginx for file delivering
and the build-in security.

Is it possible to define other directories for

$GALLERY_ROOT/
/var/thumbs
/var/resizes
/var/albums

As far as I know there are at least three directories for which I need
this protection.

$GALLERY_ROOT/
/var/thumbs
/var/resizes
/var/albums

There are some possibilities which I know.

1.) currently used
2.) use HTTP-Auth
3.) use X-accel
4.) A possibility which I don't know

1.) currently used

Based on http://codex.galleryproject.org/Gallery3:Using_NGINX I have now the following working setup.

nginx.conf
...
        location /var/ {
          rewrite ^(.*)$ /index.php?kohana_uri=/file_**proxy$1;
        }
...

Pro: Easy to configure and currently possible.
Con: This mean that the files are delivered thru php-fpm => nginx => client not directly from nginx => client.

2.) use HTTP-Auth

based on http://codex.galleryproject.org/Gallery3:API:REST#Example_Login_request and the nginx module http://mdounin.ru/hg/ngx_http_auth_request_module ask on every file (Picture, Movie) gallery if the user is allowed to see the file.

Pro: This mean that the files are delivered nginx => client.
Con: I don't know how difficult this setup is to build.

3.) use X-accel

based on http://wiki.nginx.org/**XSendfile<http://wiki.nginx.org/XSendfile>add "X-Accel-Redirect:" to the file_proxy.php.

I have added the following lines to file_proxy.php

....
    if(preg_match('/^nginx/',**Input::instance()->server("SERVER_SOFTWARE"))){
      error_log("file     to serve :$file:");
      header("X-Accel-Redirect: " . Input::instance()->server("REQUEST_URI"));
       break;
     }
...

and the following lines to nginx.conf

 ....
         location /var/thumbs {
           internal;
           root /home/phpapps/apps/gal/var/**thumbs/;
         }

         location /var/resizes {
           internal;
           root /home/phpapps/apps/gal/var/**resizes/;
         }

         location /var/albums {
           internal;
           root /home/phpapps/apps/gal/var/**albums/;
         }

 ...

The Problem with this setup is that the client request '/var/albums/$ALLBUMM/$FILE' and get a 404 from nginx.
To get this setup working must be something changed in gallery3.

1.) create a possibility to change the request PATHs of the three directories.
2.) Add the X-Accel-Redirect snipped to the file_proxy.php

4.) A possibility which I don't know

Please can you tell me your opinions about this issue, thanks.

cheers Al

tempg

Joined: 2005-12-17
Posts: 1857

Posted: Tue, 2013-07-09 15:14

Not sure I understand fully (I don't use nginx for things like this). You can check http://codex.galleryproject.org/Gallery3:FAQ#I_want_to_move_my_.2Fvar_directory to see if that works for you.

al-gallery3 Joined: 2013-06-09 Posts: 1	Posted: Mon, 2013-06-10 11:13
	Dear Forum-Readers. I'am new to gallery3, so if I have the wrong forum please redirect me to the right one, thanks. Due to the fact that nginx does not handle the .htaccess files I wanted to solve the 'direct access to files' on the nginx way. This means to use the performance benefits of nginx for file delivering and the build-in security. Is it possible to define other directories for $GALLERY_ROOT/ /var/thumbs /var/resizes /var/albums As far as I know there are at least three directories for which I need this protection. $GALLERY_ROOT/ /var/thumbs /var/resizes /var/albums There are some possibilities which I know. 1.) currently used 2.) use HTTP-Auth 3.) use X-accel 4.) A possibility which I don't know 1.) currently used Based on http://codex.galleryproject.org/Gallery3:Using_NGINX I have now the following working setup. nginx.conf ... location /var/ { rewrite ^(.)$ /index.php?kohana_uri=/file_proxy$1; } ... Pro: Easy to configure and currently possible. Con: This mean that the files are delivered thru php-fpm => nginx => client not directly from nginx => client. 2.) use HTTP-Auth based on http://codex.galleryproject.org/Gallery3:API:REST#Example_Login_request and the nginx module http://mdounin.ru/hg/ngx_http_auth_request_module ask on every file (Picture, Movie) gallery if the user is allowed to see the file. Pro: This mean that the files are delivered nginx => client. Con: I don't know how difficult this setup is to build. 3.) use X-accel based on http://wiki.nginx.org/XSendfile<http://wiki.nginx.org/XSendfile>add "X-Accel-Redirect:" to the file_proxy.php. I have added the following lines to file_proxy.php .... if(preg_match('/^nginx/',Input::instance()->server("SERVER_SOFTWARE"))){ error_log("file to serve :$file:"); header("X-Accel-Redirect: " . Input::instance()->server("REQUEST_URI")); break; } ... and the following lines to nginx.conf .... location /var/thumbs { internal; root /home/phpapps/apps/gal/var/thumbs/; } location /var/resizes { internal; root /home/phpapps/apps/gal/var/resizes/; } location /var/albums { internal; root /home/phpapps/apps/gal/var/*albums/; } ... The Problem with this setup is that the client request '/var/albums/$ALLBUMM/$FILE' and get a 404 from nginx. To get this setup working must be something changed in gallery3. 1.) create a possibility to change the request PATHs of the three directories. 2.) Add the X-Accel-Redirect snipped to the file_proxy.php 4.) A possibility which I don't know Please can you tell me your opinions about this issue, thanks. cheers Al
	XUser login Username: * Password: * Create new account Request new password
tempg Joined: 2005-12-17 Posts: 1857	Posted: Tue, 2013-07-09 15:14
	Not sure I understand fully (I don't use nginx for things like this). You can check http://codex.galleryproject.org/Gallery3:FAQ#I_want_to_move_my_.2Fvar_directory to see if that works for you.

Secure file access on the nginx way

XUser login