Merge branch 'force_auth' into 'master'

Use NGINX X-Accel-Redirect to protect media Closes #22 See merge request bde/photo21!13
2021-10-22 17:56:15 +02:00 · 2021-10-22 17:56:15 +02:00 · fb43ac14b7
commit fb43ac14b7
parent 29e9dba141 eb03db2dff
3 changed files with 22 additions and 4 deletions
--- a/docs/nginx_photos
+++ b/docs/nginx_photos
@ -34,8 +34,14 @@ server {
    error_log /var/log/nginx/photos.crans.org_error.log;
    access_log /var/log/nginx/photos.crans.org_access.log;

+    # Allow 2Go upload at once
+    client_max_body_size 2G;
+
    # Django statics and media
-    location /media  {
+    # Do not directly serve media, it must be authorized
+    # by a Django view to check permissions
+    location /protected/media  {
+        internal;
        alias /var/www/photos/photo21/media;
    }
    location /static {
--- a/photo21/urls.py
+++ b/photo21/urls.py
@ -14,11 +14,11 @@ Including another URLconf
    2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
 """
 from django.contrib import admin
-from django.urls import include, path
+from django.urls import include, path, re_path
 from django.conf import settings
 from django.conf.urls.static import static

-from .views import IndexView
+from .views import IndexView, MediaAccess

 # photologue_custom overrides some photologue patterns
 urlpatterns = [
@ -33,3 +33,5 @@ urlpatterns = [

 if settings.DEBUG:
    urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
+else:
+    urlpatterns.append(re_path('^media/(?P<path>.*)', MediaAccess.as_view(), name='media'))
--- a/photo21/views.py
+++ b/photo21/views.py
@ -2,10 +2,20 @@
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.views.generic import ListView
+from django.views.generic import ListView, View
+from django.http import HttpResponse
 from photologue.models import Gallery


+class MediaAccess(LoginRequiredMixin, View):
+    def get(self, request, path):
+        response = HttpResponse()
+        # Content-type will be detected by nginx
+        del response['Content-Type']
+        response['X-Accel-Redirect'] = '/protected/media/' + path
+        return response
+
+
 class IndexView(LoginRequiredMixin, ListView):
    queryset = Gallery.objects.on_site().is_public()
    paginate_by = 4