Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:config:internal-redirect [2018/09/25 21:05] Jackson Zhang [Internal Redirect via LiteSpeed] |
litespeed_wiki:config:internal-redirect [2018/09/28 15:42] (current) Lisa Clarke Proofreading |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Internal Redirect ====== | ====== Internal Redirect ====== | ||
| + | Web server internal redirect via backend response header, aka ''X-Sendfile'' or ''X-Accel-Redirect'', is a feature used by some web backend developers and popularized by Ruby on Rails. LSWS and OLS use a simple header "Location" or ''X-LiteSpeed-Location'' to achieve the same goal. | ||
| - | ===== Introduction ===== | + | ===== What is This Internal Redirect via Response Header? ===== |
| - | Web server internal redirect via backend response header, aka X-Sendfile or X-Accel-Redirect, is a feature used by some web backend developers and popularized by Ruby on Rails. | + | The backend process, instead of returning a full HTTP page response back, returns only a pointer to a local path. |
| - | === What is this internal redirect via response header? === | + | When the web server receives this special url location pointer via a header variable, the web server will output the content of the specified path, rather than the response from the backend process. |
| - | The backend process, instead of returning a full HTTP page response back, return only a pointer to a local path. | + | The end user is not aware of this internal redirection and the data appears to be returned from the original url. |
| - | When the web server receive this special url location pointer via a header variable, the web server will output the content of the specified path, rather than the response from the backend process. | + | ===== Implementing Internal Redirect on LiteSpeed Through the Header ===== |
| - | The end user is not aware of this internal redirection and the data returns appears from the original url. | + | To get this to work on LiteSpeed, just use a simple ''X-LiteSpeed-Location'' header in your PHP script. |
| + | ==== Method 1: Set "Location" Header ==== | ||
| + | In a PHP script, set a ''Location'' header pointing to a URI without the ''<nowiki>http://domain.com</nowiki>'' part. Do not set a ''Status'' header in response. Make sure no ''Status'' header is returned. PHP always adds a ''Status'' header automatically when a ''Location'' header is set. | ||
| + | <?php | ||
| + | header('Location: /php-icon.png'); | ||
| + | ?> | ||
| + | ==== Method 2: Set "X-LiteSpeed-Location" Header ==== | ||
| + | Add a special ''X-LiteSpeed-Location'' header (in LSWS v3.0.2 and above) in exactly the same way as the ''Location'' header was added in **Method 1** above. ''X-LiteSpeed-Location'' is the recommended way to implement an Internal Redirect on LSWS. | ||
| + | For example, add a line like this to the PHP script: | ||
| + | header('X-LiteSpeed-Location: /path/to/file_to_be_redirected'); | ||
| - | ===== Internal Redirect via LiteSpeed ===== | + | **Note:** ''/path/to/file_to_be_redirected'' should be a URI without ''<nowiki>http://domain.com</nowiki>'', but with the preceding ''/'', such as can be seen in the ''test.php'' script in your document root. LSWS only supports "URI" instead of "file path". |
| - | To get this to work on LiteSpeed, just use a simple header "X-LiteSpeed-Location". | + | <?php |
| + | header('X-LiteSpeed-Location: /img/php-icon.png'); | ||
| + | ?> | ||
| - | === Details === | + | That's it, folks. LiteSpeed will take over the rest, perform an internal redirect, and send the file back with ''sendfile()'' support if the URL points to a static file. |
| - | In the return response, follow the directions below: | + | Run a test through ''<nowiki>http://yourdomain.com/test.php</nowiki>'' and you will see it return the ''php-icon.png'' image. |
| - | - Return a normal "**Location**" header without ''<nowiki>http://domain</nowiki>'', just the URL without the hostname part. | + | ===== Downloading the File Instead of Displaying ===== |
| - | - Do not set a "**Status**" header in response. Make sure no "Status" header is returned. | + | If you want to download the file instead of showing it in the browser, you can add an extra header, ''Content-Disposition'', like so: |
| - | - PHP always adds "**Status**" header automatically when a "**Location**" header was set, we added a special header "**X-LiteSpeed-Location**" in 3.0.2 to address this, just use it in the same way as a "**Location**" header. For example, just put a line like below to the php script: | + | |
| - | header('X-LiteSpeed-Location: /path/to/file_to_be_redirected'); | ||
| - | |||
| - | **Note:** "/path/to/file_to_be_redirected" should be URL without http://domain but with "/", such as: **test.php** in document root: | ||
| <?php | <?php | ||
| + | header('Content-Disposition: attachment; filename = php-icon.png'); | ||
| header('X-LiteSpeed-Location: /img/php-icon.png'); | header('X-LiteSpeed-Location: /img/php-icon.png'); | ||
| ?> | ?> | ||
| - | That's it folks. LiteSpeed will take over the the rest, perform an internal redirect, and send back the file with sendfile() support if the url points to a static file. | + | Save the above to ''<nowiki>http://yourdomain.com/test.php</nowiki>'' and run it. The script will download ''php-icon.png'' instead of displaying it in the browser. |
| - | Run a test through | + | ===== Redirecting via URL vs. File Path ===== |
| - | http://yourdomain.com/test.php | + | |
| - | It will return the php-icon.png image. | + | Unlike the ''X-Sendfile'' or ''X-Accel-Redirect'' implementations in other web servers, LiteSpeed uses a URI instead of a file path for security reasons. In this way, only a file under the document root of a virtual host or a context can be returned. Otherwise, you could have a huge security issue. Imagine if, for some reason, either accidentally or maliciously, the script sends back a header ''X-Sendfile: /../etc/./passwd%00'', or something like that. The user accounts on your server would no longer be a secret! |
| - | === Ruby-on-Rails=== | + | ===== Protection from Direct Access ===== |
| - | A short example on how to use Internal Redirect for sending files within a RoR Controller. Below is a sendfile function that can be attached to any action. | + | If you want to prevent a user from accessing a file directly, just use a hard-to-guess URI like ''/you_never_know/where_file_is_stored/...''. Or you can use a rewrite rule (in ''httpd.conf'') to deny direct access to the directory holding the files, like so: |
| - | + | ||
| - | def sendfile | + | |
| - | @name = session[:filename] # a session variable set in a view or other function | + | |
| - | filename = "public/download/" + @name # create the URI, must be under /public | + | |
| - | headers["Location"] = filename # set the 'Location header | + | |
| - | redirect_to(filename) # redirect | + | |
| - | end | + | |
| - | + | ||
| - | + | ||
| - | === Security Consideration === | + | |
| - | + | ||
| - | Unlike X-Sendfile or X-Accel-Redirect implementation in other web servers, LiteSpeed uses a URL instead of file path for security reasons. In this way, only file under document root of a virtual host or a Context can be returned, otherwise, it could be a huge security issue if for some reason, either tricked or intentionally, the script sent back a header "X-Sendfile: /../etc/./passwd%00" or something like that, user accounts on your server is no longer a secret. 8-) | + | |
| - | + | ||
| - | === Protecting file from direct access === | + | |
| - | + | ||
| - | If you want to prevent user from access the file directly, just use a hard to guess URL like "/you_never_know/where_file_is_stored/...", or you can use a rewrite rule (in httpd.conf) to deny direct access to the directory holding the files, something like | + | |
| RewriteCond %{ORG_REQ_URI} ^/blocked/uri/ | RewriteCond %{ORG_REQ_URI} ^/blocked/uri/ | ||
| RewriteRule ^/blocked/uri/ - [R=403,F] | RewriteRule ^/blocked/uri/ - [R=403,F] | ||
| - | Here is a version in .htaccess (notice the difference between ^/blocked... and ^blocked...) | + | Here is a version in ''.htaccess'' (notice the difference between ''^/blocked''... and ''^blocked''...) |
| RewriteCond %{ORG_REQ_URI} ^/blocked/uri/ | RewriteCond %{ORG_REQ_URI} ^/blocked/uri/ | ||
| RewriteRule ^blocked/uri/ - [R=403,F] | RewriteRule ^blocked/uri/ - [R=403,F] | ||
| - | %{ORG_REQ_URI} is a LiteSpeed specific rewrite variable, which refers to the URI in the original request header. | + | ''%{ORG_REQ_URI}'' is a LiteSpeed-specific rewrite variable, which refers to the URI in the original request header. |
| - | Another advantage of our internal redirect implementation is that it does not limited to sending static files, it can be used to pass the request to another script for further processing. :-) | + | Another advantage of our internal redirect implementation is that it does not limit you to sending static files. It can be used to pass the request to another script for further processing. |
| + | |||
| + | ===== Ruby-on-Rails===== | ||
| + | |||
| + | Here is a short example of how to use Internal Redirect for sending files within a RoR Controller. Below is a sendfile function that can be attached to any action. | ||
| + | |||
| + | def sendfile | ||
| + | @name = session[:filename] # a session variable set in a view or other function | ||
| + | filename = "public/download/" + @name # create the URI, must be under /public | ||
| + | headers["Location"] = filename # set the 'Location header | ||
| + | redirect_to(filename) # redirect | ||
| + | end | ||