在Django站点中保护静态媒体访问 [英] Secure static media access in a Django site

问题描述

我正在建立一个网站，注册用户可以上传文件。那些文件然后通过Apache提供。只有登录的用户才能访问这些文件。

我已经阅读了这个页面，但似乎人们必须登录两次访问站点和媒体，每次使用不同类型的登录框。

有没有办法解决这个问题，还是有其他方法来限制使用Django身份验证数据库访问由Apache提供的静态媒体？

我正在使用mod_python。

编辑：阅读范加尔的答案后，我如何最终解决这个问题， a href =http://groups.google.com/group/django-users/browse_thread/thread/b4ceae1956e003e5/ =noreferrer>此：

1. 切换到WSGI。


2. 已安装 mod_xsendfile


3. 将所有公共媒体文件移动到/ media / public
$ b $中的子文件夹中b
4. 使用Alias / media / public / var / www ... / media / public
添加对公用文件夹的访问权限

5. 添加了WSGIScriptAlias / media / protected / / var / www ... / apache / django.wsgi（与网站其他部分相同的处理程序）


6. 添加XSendFile On和XSendFileAllowAbove On


7. Django应用程序我添加了/ media / protected的urlconf，它基本上是这里，仅针对我的身份验证系统进行修改。它处理诸如/ media / protected / GROUP_ID / file之类的URL，因此只有GROUP的成员可以下载文件。

解决方法

通常的方法是将特殊的标题传回给Web服务器。

可以使用 nginx 使用x-accel-redirect作为这个 Django snippet 。

对于Apache，应该使用 mod_xsendfile 模块（关于Django用户邮件列表的讨论和示例。

I'm building a site where registered users can upload files. Those files are then served via Apache. Only users who are logged in should be able to access those files.

I have read this page but it seems that people would have to log in twice to access both the site and the media, each time using a different type of login box.

Is there a way around this or is there some other way to limit access to static media served by Apache using the Django authentication database?

I'm using mod_python.

EDIT: How I ended up solving this after reading Van Gale's answer and this:

1. Switched to WSGI.
2. Installed mod_xsendfile
3. Moved all public media files into a subfolder in /media/public
4. Added access to the public folder using an Alias /media/public /var/www.../media/public
5. Added WSGIScriptAlias /media/protected/ /var/www.../apache/django.wsgi (same handler as for the rest of the site)
6. Added XSendFile On and XSendFileAllowAbove On
7. To the Django app I added an urlconf for /media/protected which does basically what's here, only modified for my authentication system. It handles urls such as /media/protected/GROUP_ID/file so that only members of the GROUP can download the files.

解决方案

The usual way to do this is to pass back a special header to the web server.

You can do it with nginx using x-accel-redirect as in this Django snippet.

For Apache, it should be pretty similar using the mod_xsendfile module (discussion and examples on Django users mailing list).

这篇关于在Django站点中保护静态媒体访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！