Django - 了解X-Sendfile [英] Django - Understanding X-Sendfile

问题描述

使用Django，我一直在进行有关访问控制的文件下载的研究。我的目标是完全阻止访问文件，除非特定用户访问。我读过，当使用Django时，X-Sendfile是实现此目标（基于其他SO问题等）的首选方法之一。我对Django使用X-Sendfile的初步了解是：

I've been doing some research regarding file downloads with access control, using Django. My goal is to completely block access to a file, except when accessed by a specific user. I've read that when using Django, X-Sendfile is one of the methods of choice for achieving this (based on other SO questions, etc). My rudimentary understanding of using X-Sendfile with Django is:

1. 用户请求获取受保护文件的URI


2. Django应用程序根据URL决定要返回的文件，并检查用户权限等。


3. Django应用程序返回HTTP响应，将X-Sendfile头设置为服务器的文件路径


4. Web服务器查找文件并将其返回给请求者（我认为Web服务器也会沿着路径删除X-Sendfile头）

1. User requests URI to get a protected file
2. Django app decides which file to return based on URL, and checks user permission, etc.
3. Django app returns an HTTP Response with the 'X-Sendfile' header set to the server's file path
4. The web server finds the file and returns it to the requester (I assume the webs server also strips out the 'X-Sendfile' header along the way)

与从Django直接抓取文件相比，X-Sendfile似乎是一种更有效的实现受保护下载的方法（因为我可以依靠Nginx提供文件，vs Django），但为我留下两个问题：

Compared with chucking the file directly from Django, X-Sendfile seems likely to be a more efficient method of achieving protected downloads (since I can rely on Nginx to serve files, vs Django), but leaves 2 questions for me:

1. 我的X-Sendfile的解释至少是抽象正确吗？ li>
   
2. 假设我不提供正常的前端HTTP访问（例如 http://www.example.com/downloads/secret-file.jpg ）存储到文件的目录（即不要保留）在我的 public_html 目录中）？或者，技术精湛的用户可以检查标题等，并逆向工程访问文件（然后分发）的方式？


3. 是否真的在性能上有很大的不同。我要通过直接从Django提供8b块下载的150Mb文件，而将其应用服务器下载，还是这种非问题？我问的原因是因为如果两个版本接近相同，那么Django版本将会更好，因为我能够在Python中执行任务，例如记录完成的下载数量，下载带宽等。

1. Is my explanation of X-Sendfile at least abstractly correct?
2. Is it really secure, assuming I don't provide normal, front-end HTTP access (e.g. http://www.example.com/downloads/secret-file.jpg) to the directory that the file is stored (ie, don't keep it in my public_html directory)? Or, could a tech-savvy user examine headers, etc. and reverse engineer a way to access a file (to then distribute)?
3. Is it really a big difference in performance. Am I going to bog my application server down by providing 8b chunked downloads of 150Mb files directly from Django, or is this sort-of a non-issue? The reason I ask is because if both versions are near equal, the Django version would be preferable due to my ability to do things in Python, like log the number of completed downloads, tally bandwidth of downloads etc.

提前感谢

推荐答案

<

1. 确切的实现取决于网络服务器，但在nginx的情况下，建议将该位置标记为内部以防止外部访问。 li>
   
2. Nginx可以异步地提供文件，而在Django，您需要一个线程，每个请求可能会产生更多数量的并行请求。

记得要为nginx而不是X-Sendfile发送X-Accel-Redirect头。
有关详细信息，请参阅 http://wiki.nginx.org/XSendfile 。

Remember to send a X-Accel-Redirect header for nginx instead of X-Sendfile. See http://wiki.nginx.org/XSendfile for more information.

这篇关于Django - 了解X-Sendfile的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！