Sending private files

Discussion in 'Ruby/Rails' started by thijs, Sep 6, 2006.

  1. thijs

    thijs New Member

    I'm wondering if Litespeed has feature similar to lighttpd's x-send-file option.

    If you turn the option on and the Rails app sends a X-LIGHTTPD-send-file header with a path Lighttpd transfers the file to the client.

    I'm using the send_file Rails method now, but this is quite expensive since it does all the IO in ruby, just setting the header and letting Litespeed handle the rest wouldn't stall the Ruby process.

    Is there such a feature?
  2. dlhhyct

    dlhhyct New Member

  3. mistwang

    mistwang LiteSpeed Staff

    For that purpose, you can just set a location header with the corresponding URI to that file in the response header.
    Like:
    Code:
    Location:/static/myfile
    LSWS will perform a internal redirect and send the file back to client, do not set status header or the HTTP status line, otherwise, LSWS will perfrom a external redirect by sending back a redirect response to client.

    The difference between "X-LIGHTTPD-send-file" header and "Location" header is that URI should be used in Location instead of the full path to the file.
  4. thijs

    thijs New Member

    That's not exactly what I'm looking for. The idea is that files are only sent to users that are authorized to download the file. The files shouldn't be in a public location so people can't paste the url in an email and let someone else download the file.

    There may for example be a url /document/download/1. This checks if the current user has permissions to download and only sends the file if this is the case.
  5. mistwang

    mistwang LiteSpeed Staff

    You can use a hard to guess URI, URI is not visible to user when LSWS perform an internal redirect, user only see the original URL to Rails, authentication can be done in Rails.

    There is security concern if arbitrary file location is allowed.
  6. thijs

    thijs New Member

    Hm indeed, I could just deny all access except from localhost as an extra security measure.

Share This Page