serving large files with access controls

[Erik Rantapaa <ra...@yahoo.com>]

Suppose I have a typical proxied mod-perl setup and I
have a large (~ 650 MB) file I'd like to provide
authenticated access to. The mod-perl server will be
doing the authentication, but for performance
considerations I'd like the proxy server to serve the
file directly instead of having the mod-perl server
first forward the file to the proxy.

Is there a way to do this so that access to the file
would be _impossible_ unless the user is authenticated
by the mod-perl server? I am looking for a solution
that can guarantee that there is no way to circumvent
the authentication process. I can think of solutions
where the probability that users can access the file
without authenticating can be made very small, but I
am looking for an absolute guarantee.

Regards,

Erik Rantapaa
rant002@yahoo.com


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

Re: serving large files with access controls

[Peter Bi <mo...@att.net>]

We talked about this limiation of the dual setup before. There is no
solution publically available. But you can try this:
1) check http://modperl.home.att.net or similar cookie-based ticketing
system.
2) write a "ticket-client" module in C and load it into the proxy server (I
have one based on libapreqs).
3) you can use the same "ticket issuer" mod_Perl module in the server
machine, or any language as far as it can generate a valid cookie.
4) then serve the large file directly via the proxy server.

Peter

----- Original Message -----
From: "Erik Rantapaa" <ra...@yahoo.com>
To: <mo...@perl.apache.org>
Sent: Sunday, October 13, 2002 12:54 PM
Subject: serving large files with access controls


>
> Suppose I have a typical proxied mod-perl setup and I
> have a large (~ 650 MB) file I'd like to provide
> authenticated access to. The mod-perl server will be
> doing the authentication, but for performance
> considerations I'd like the proxy server to serve the
> file directly instead of having the mod-perl server
> first forward the file to the proxy.
>
> Is there a way to do this so that access to the file
> would be _impossible_ unless the user is authenticated
> by the mod-perl server? I am looking for a solution
> that can guarantee that there is no way to circumvent
> the authentication process. I can think of solutions
> where the probability that users can access the file
> without authenticating can be made very small, but I
> am looking for an absolute guarantee.
>
> Regards,
>
> Erik Rantapaa
> rant002@yahoo.com
>
>
> __________________________________________________
> Do you Yahoo!?
> Faith Hill - Exclusive Performances, Videos & More
> http://faith.yahoo.com

Re: serving large files with access controls

[Steven Lembark <le...@wrkhors.com>]

> Is there a way to do this so that access to the file
> would be _impossible_ unless the user is authenticated
> by the mod-perl server? I am looking for a solution
> that can guarantee that there is no way to circumvent
> the authentication process. I can think of solutions
> where the probability that users can access the file
> without authenticating can be made very small, but I
> am looking for an absolute guarantee.

Impossible, no. If the proxy server can handle FTP
then one way is to have the source directory mods
at 0711. That requires knowing the file name to
get it; no listings w/o read access. After that you
can have the web server, say, symlink a file with
some temp name and redirect the user to the ftp
server.

Net result is that the proxy handles an ftp request
for a name that is temporary to the download and hard
to guess.



--
Steven Lembark                               2930 W. Palmer
Workhorse Computing                       Chicago, IL 60647
                                            +1 800 762 1582