Hi,

I'm sure this is a common problem but I can't find any off the shelf
solutions: there's a dynamic (PHP) web site and the requirement is that
visitors can download files, but the files have their permissions
regulated by the web application (i.e. certain users can download
certain files). The obvious solution is to download all files through
PHP (i.e. a PHP script checks permissions, reads file, writes it as its
output), but this has proven to be inefficient and we'd like to have
Apache directly handling the file download (using sendfile and other
optimizations it has).

Lighttpd has something like that:
http://trac.lighttpd.net/trac/wiki/D...BeforeDownload but
it's too rudimentary for our needs. At the very least we'd like
something that makes Apache check in a database and see if the client's
IP address is allowed to download the file requested (settable per
<Directory>), and the best solution would be to inspect the client's .

Any pointers on where to look?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIRTMFldnAQVacBcgRAur9AJ9ndfQlx3HGZdaA6y/2KMd27FMqsQCgo8Ug
gyHGEXcef9O1AS1FNoXzhpU=
=X6wi
-----END PGP SIGNATURE-----

On Jun 3, 1:03pm, Ivan Voras <ivoras@__fer.hr__> wrote:
> Hi,
>
> I'm sure this is a common problem but I can't find any off the shelf
> solutions: there's a dynamic (PHP) web site and the requirement is that
> visitors can download files, but the files have their permissions
> regulated by the web application (i.e. certain users can download
> certain files). The obvious solution is to download all files through
> PHP (i.e. a PHP script checks permissions, reads file, writes it as its
> output), but this has proven to be inefficient and we'd like to have
> Apache directly handling the file download (using sendfile and other
> optimizations it has).
>
> Lighttpd has something like that:http://trac.lighttpd.net/trac/wiki/D...oreDownloadbut
> it's too rudimentary for our needs. At the very least we'd like
> something that makes Apache check in a database and see if the client's
> IP address is allowed to download the file requested (settable per
> <Directory>), and the best solution would be to inspect the client's .
>
> Any pointers on where to look?
>
> signature.asc
> 1KDownload

Why do you think streaming the file via PHP is significantly more
expensive? The short answer is that its not possible to what you ask
unless you reimplemented your own version of the Lighttpd module
(although I'm unclear how you would securely prevent leeching using
this). An interim solution might be to keep the docs out of the
webroot, then when a valid request arrives, parse it with PHP, copy
the file into the webrrot with a random name, and redict the browser
to it, then periodically, tidy up the random files. But I suspect
you'd get a lot of mileage out of optimizing the PHP code.

C.

On Jun 3, 1:03pm, Ivan Voras <ivoras@__fer.hr__> wrote:
> Hi,
>
> I'm sure this is a common problem but I can't find any off the shelf
> solutions: there's a dynamic (PHP) web site and the requirement is that
> visitors can download files, but the files have their permissions
> regulated by the web application (i.e. certain users can download
> certain files). The obvious solution is to download all files through
> PHP (i.e. a PHP script checks permissions, reads file, writes it as its
> output), but this has proven to be inefficient and we'd like to have
> Apache directly handling the file download (using sendfile and other
> optimizations it has).
>
> Lighttpd has something like that:http://trac.lighttpd.net/trac/wiki/D...oreDownloadbut
> it's too rudimentary for our needs. At the very least we'd like
> something that makes Apache check in a database and see if the client's
> IP address is allowed to download the file requested (settable per
> <Directory>), and the best solution would be to inspect the client's .
>
> Any pointers on where to look?
>
> signature.asc
> 1KDownload

Why do you think streaming the file via PHP is significantly more
expensive? The short answer is that its not possible to what you ask
unless you reimplemented your own version of the Lighttpd module
(although I'm unclear how you would securely prevent leeching using
this). An interim solution might be to keep the docs out of the
webroot, then when a valid request arrives, parse it with PHP, copy
the file into the webrrot with a random name, and redict the browser
to it, then periodically, tidy up the random files. But I suspect
you'd get a lot of mileage out of optimizing the PHP code.

C.

C. wrote:
> On Jun 3, 1:03 pm, Ivan Voras <ivoras@__fer.hr__> wrote:
>> Hi,
>>
>> I'm sure this is a common problem but I can't find any off the shelf
>> solutions: there's a dynamic (PHP) web site and the requirement is that
>> visitors can download files, but the files have their permissions
>> regulated by the web application (i.e. certain users can download
>> certain files). The obvious solution is to download all files through
>> PHP (i.e. a PHP script checks permissions, reads file, writes it as its
>> output), but this has proven to be inefficient and we'd like to have
>> Apache directly handling the file download (using sendfile and other
>> optimizations it has).
>>
>> Lighttpd has something like that:http://trac.lighttpd.net/trac/wiki/D...oreDownloadbut
>> it's too rudimentary for our needs. At the very least we'd like
>> something that makes Apache check in a database and see if the client's
>> IP address is allowed to download the file requested (settable per
>> <Directory>), and the best solution would be to inspect the client's .
>>
>> Any pointers on where to look?

>
> Why do you think streaming the file via PHP is significantly more
> expensive? The short answer is that its not possible to what you ask
> unless you reimplemented your own version of the Lighttpd module
> (although I'm unclear how you would securely prevent leeching using
> this). An interim solution might be to keep the docs out of the
> webroot, then when a valid request arrives, parse it with PHP, copy
> the file into the webrrot with a random name, and redict the browser
> to it, then periodically, tidy up the random files. But I suspect
> you'd get a lot of mileage out of optimizing the PHP code.

It is not expensive in terms of CPU time, but it is expensive in terms
of PHP interpreters loaded in memory at any one time (we're using
FastCGI). Downloads are somewhat less important to us than "regular" web
page renderings and allocating a full PHP process (each of which is > 25
MB RES size in memory +other resources like open file descriptors etc)
soon ties up resources that could be assigned to generating web pages.

What I think I'd need is a apache module for authorization that either
allows me to script something to my liking (mod_perl?) or something that
has a simple by-IP check.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIR+3nldnAQVacBcgRAvgTAJwIjm4YiLOrEZtYSsdH3z Bn6vAVaACdGrcz
WG5fj8igyv2Mw9MurBbmUt8=
=DraL
-----END PGP SIGNATURE-----

C. wrote:
> On Jun 3, 1:03 pm, Ivan Voras <ivoras@__fer.hr__> wrote:
>> Hi,
>>
>> I'm sure this is a common problem but I can't find any off the shelf
>> solutions: there's a dynamic (PHP) web site and the requirement is that
>> visitors can download files, but the files have their permissions
>> regulated by the web application (i.e. certain users can download
>> certain files). The obvious solution is to download all files through
>> PHP (i.e. a PHP script checks permissions, reads file, writes it as its
>> output), but this has proven to be inefficient and we'd like to have
>> Apache directly handling the file download (using sendfile and other
>> optimizations it has).
>>
>> Lighttpd has something like that:http://trac.lighttpd.net/trac/wiki/D...oreDownloadbut
>> it's too rudimentary for our needs. At the very least we'd like
>> something that makes Apache check in a database and see if the client's
>> IP address is allowed to download the file requested (settable per
>> <Directory>), and the best solution would be to inspect the client's .
>>
>> Any pointers on where to look?

>
> Why do you think streaming the file via PHP is significantly more
> expensive? The short answer is that its not possible to what you ask
> unless you reimplemented your own version of the Lighttpd module
> (although I'm unclear how you would securely prevent leeching using
> this). An interim solution might be to keep the docs out of the
> webroot, then when a valid request arrives, parse it with PHP, copy
> the file into the webrrot with a random name, and redict the browser
> to it, then periodically, tidy up the random files. But I suspect
> you'd get a lot of mileage out of optimizing the PHP code.

It is not expensive in terms of CPU time, but it is expensive in terms
of PHP interpreters loaded in memory at any one time (we're using
FastCGI). Downloads are somewhat less important to us than "regular" web
page renderings and allocating a full PHP process (each of which is > 25
MB RES size in memory +other resources like open file descriptors etc)
soon ties up resources that could be assigned to generating web pages.

What I think I'd need is a apache module for authorization that either
allows me to script something to my liking (mod_perl?) or something that
has a simple by-IP check.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIR+3nldnAQVacBcgRAvgTAJwIjm4YiLOrEZtYSsdH3z Bn6vAVaACdGrcz
WG5fj8igyv2Mw9MurBbmUt8=
=DraL
-----END PGP SIGNATURE-----

On Tue, 03 Jun 2008 14:03:17 +0200
Ivan Voras <ivoras@__fer.hr__> wrote:

> Lighttpd has something like that:
> http://trac.lighttpd.net/trac/wiki/D...BeforeDownload but
> it's too rudimentary for our needs. At the very least we'd like
> something that makes Apache check in a database and see if the
> client's IP address is allowed to download the file requested
> (settable per <Directory>), and the best solution would be to inspect
> the client's .

Apache's mod_rewrite will do that for you. You can use the "RewriteMap"
directive to make it look in a database.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

On Tue, 03 Jun 2008 14:03:17 +0200
Ivan Voras <ivoras@__fer.hr__> wrote:

> Lighttpd has something like that:
> http://trac.lighttpd.net/trac/wiki/D...BeforeDownload but
> it's too rudimentary for our needs. At the very least we'd like
> something that makes Apache check in a database and see if the
> client's IP address is allowed to download the file requested
> (settable per <Directory>), and the best solution would be to inspect
> the client's .

Apache's mod_rewrite will do that for you. You can use the "RewriteMap"
directive to make it look in a database.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/