serving files only when requests authorised by application
Graeme
24 January 2016, 09:10
I am looking at moving multiple smallish sites to Hiawatha. One site has downloads that are only served to logged in users. At the moment it uses Lighttpd and the application checks whether the user is logged in, and replies with a response that contains an X-Sendfile header if so. The file is outside the document root so this is the only way it can be accessed.
In the thread saying X-Sendfile will not be implemented Hugo says "this won't interfere with any migration plans", which I assume means there is a simple alternative. Does it mean the application has to serve the file or is there a better way to do it with Hiawatha?
Hugo Leisink
24 January 2016, 10:55
The X-Sendfile header makes Lighttpd use the sendfile() system call to send the file to the client. This method was supposed to make things faster, but tests in Hiawatha showed that it wasn't faster. That's the reason I'm not going to support it. It also messes up other features in Hiawatha. Because 'speed' is the only thing we're talking about it, you can simply ignore the header. It has nothing to do with security.
Graeme
25 January 2016, 11:01
I understood that it was not faster from your reply to a previous feature request. What I do not understand is how I can "ignore the header". If I do that (in this case) the downloads will stop working. I definitely have to change something in this application to make it work with Hiawatha.
I do not like the idea of serving static files from the application:
1) it means I will have to rewrite code to serve the file instead of returning the header. I probably need to rewrite it to read and serve the file in chunks. Its not a big problem (I only need to write four or five lines of code to do this) but it is not as nice as one line!
2) it will increases memory usage (I am going to need an extra application thread for every file being served). Its probably worth it for some sites (a good trade off to get the security features) but maybe not for sites that have lots of such files to server, or very large files to serve.
Hugo Leisink
25 January 2016, 14:02
I found an easy way to support it. I'll do some more testing, but for now it all looks ok. If it stays that way, it will be supported in v10.1.
Graeme
26 January 2016, 11:47
Thanks! Looking forward to that.
This topic has been closed.