What's the best practice for securing static and media files from unauthenticated users?
I have a Django project, where, for the most part, users need to be logged in to see or do anything. If an unauthenticated user guesses a page name in my project, they would get redirected to the login page, with an error message, as they should. The project's static and media files on the other hand had no protection. If someone guesses their names (and URL), authenticated or not, they would be allowed to download them. To fix this, I configured Nginx to mark all static and media files as Internal, and I wrote middleware that sends my Nginx server the X-Accel-Redirect header if users are authenticated. The code is here. <https://gist.github.com/terminator14/ad70a5cb8c081f5d3c8ae97307712886> Functionally, this seems to work great - at least in testing. Unfortunately, when looking at my Firefox development tools, Django's Admin Logged-In page takes about 1 second to load without this middleware enabled, and about 3.5 seconds to load with this middleware enabled. Am I doing something inefficiently in my middleware? Or is the idea of having every single request for every static resource be authorized by django, rather than quickly returned by Nginx, inherently inefficient? What's the best practice? - Is it to leave static files unprotected (css and js files don't normally have anything confidential), while securing /media files with X-Accel-Redirect? - Is it to have everything unprotected, but obfuscate the filenames of the resources to make them super difficult to guess, but quick to be returned by Nginx? - Is there no best practice? Is it done on a case-by-case basis depending on the level of confidentiality of the static/media files you are dealing with? -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7ee0735e-1266-4f51-aff6-a2d60cbd8a41%40googlegroups.com.
Re: STATIC and MEDIA
Hi Julio! Thank u so much! Jonathan Diretor de Tecnologia +55(12)98864-1594 Sent from my iPhone > On Mar 30, 2014, at 13:49, Julio Molina Soler wrote: > > Hi Jonathan, > > the cleanest way I found: > > at the beginning of your settings.py add > > import os > BASE_PROJECT = os.path.dirname(__file__) > > then when the section comes > > MEDIA_ROOT = os.path.join(BASE_PROJECT,'media') > MEDIA_URL = '/media/' > > STATIC_ROOT = os.path.join(BASE_PROJECT,'static') > STATIC_URL = '/static/' > > and in some cases I also add the static inside the apps like this > > STATICFILES_DIRS = ( > # Put strings here, like "/home/html/static" or "C:/www/django/static". > # Always use forward slashes, even on Windows. > # Don't forget to use absolute paths, not relative paths. > os.path.join(BASE_PROJECT, 'newApp','static') > ) > > Julio, > >> On dom 30 mar 2014 00:39:41 CET, Jonathan Querubina wrote: >> Guys >> >> What is the best way to configure and make accessible via URL the STATIC and >> the MEDIA uri? >> >> I can`t seem to find a good way, and get so many errors for the both being >> equal. >> >> Can someone send me an example of this configs? >> >> Thanks! >> > > > > -- > Julio Molina Soler > julio.mol...@telenet.be > Github: https://github.com/jmolinaso > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at http://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/53384B12.3050202%40telenet.be. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/E689782E-CE07-4770-855B-61ED7BA53CC5%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: STATIC and MEDIA
Hi Jonathan, the cleanest way I found: at the beginning of your settings.py add import os BASE_PROJECT = os.path.dirname(__file__) then when the section comes MEDIA_ROOT = os.path.join(BASE_PROJECT,'media') MEDIA_URL = '/media/' STATIC_ROOT = os.path.join(BASE_PROJECT,'static') STATIC_URL = '/static/' and in some cases I also add the static inside the apps like this STATICFILES_DIRS = ( # Put strings here, like "/home/html/static" or "C:/www/django/static". # Always use forward slashes, even on Windows. # Don't forget to use absolute paths, not relative paths. os.path.join(BASE_PROJECT, 'newApp','static') ) Julio, On dom 30 mar 2014 00:39:41 CET, Jonathan Querubina wrote: Guys What is the best way to configure and make accessible via URL the STATIC and the MEDIA uri? I can`t seem to find a good way, and get so many errors for the both being equal. Can someone send me an example of this configs? Thanks! -- Julio Molina Soler julio.mol...@telenet.be Github: https://github.com/jmolinaso -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/53384B12.3050202%40telenet.be. For more options, visit https://groups.google.com/d/optout.
STATIC and MEDIA
Guys What is the best way to configure and make accessible via URL the STATIC and the MEDIA uri? I can`t seem to find a good way, and get so many errors for the both being equal. Can someone send me an example of this configs? Thanks! -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7C03A25B-2634-4FDD-A4B2-B6F13CEA699D%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: FreeBSD+wsgi+django static and media how-to-do
Hi dj-konst! Static files in production are generally served by web server - Nginx or Apache or something else. And it's safer to place static files dir outside of your project dir and use 'collectstatic' command to grab static files there. Here are some examples of Nginx config with static files serving: https://code.djangoproject.com/wiki/DjangoAndNginx What particular problems do you have? Alex /// On Wed, Mar 13, 2013 at 10:20 PM, wrote: > Hi, I'm new in django > I use FreeBSD9+wsgi+django (unique host) but meet problems with static > files... > There are sections in Django Documentation 1.5 ( 4.13.4 Serving static files > in production )... > but there is no enough details for me. Where to read about serving static > files in more detals (examples ...)? > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at http://groups.google.com/group/django-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
FreeBSD+wsgi+django static and media how-to-do
Hi, I'm new in django I use FreeBSD9+wsgi+django (unique host) but meet problems with static files... There are sections in Django Documentation 1.5 ( 4.13.4 Serving static files in production )... but there is no enough details for me. Where to read about serving static files in more detals (examples ...)? Thanks -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.