You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Oliver Beattie <ol...@obeattie.com> on 2011/01/04 12:19:01 UTC
[users@httpd] Custom authentication?
Hi there,
I am sure this question has likely been asked many times before, I'm just
having a bit of a hard time finding answers.
Basically, I need to be able to authenticate downloads based on a URL
signature if present (passed as a query parameter), instead of via Basic
authentication (I need to support both of these, but bypass the basic auth
if no signature is present). It isn't a requirement that they live at the
same path, so they can be at different virtual hosts/directories if
necessary.
At first, I thought the best way to do this would be just through a simple
CGI/WSGI/whatever, but the files I am authenticating access to are very
large (many GB) and I fear there may be a performance implication of doing
this (and things like Range requests won't be possible without extra work).
Has anyone had any experience with this? What is the best way to proceed?
Any help anyone could give would be very much appreciated :)
—Oliver
Re: [users@httpd] Custom authentication?
Posted by Tig <ti...@gmail.com>.
With some tweaking the following will work:
client.srv.com has the file listings, makes an MD5 of the filename
plus a salt (random string, lets call it 123456) and writes the MD5 to
the disk of client.srv.com as /<filename>-123456.txt - then makes a
request to dload.srv.com as /dl.php/<filename>/salt
dload.srv.com/dl.php makes a request for the contents of
client.srv.com/<filename>-salt.txt and checks that the MD5 of
<filename> and salt match what was returned, if so serve the requested
file through php with the correct header('Content-...') details.
Use a cron job on client.srv.com to clear out the tmp files.
-Tig
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Custom authentication?
Posted by Christian Hettler <ch...@asknet.de>.
On Tue, Jan 04, 2011 at 11:19:01AM +0000, Oliver Beattie wrote:
> Hi there,
>
> I am sure this question has likely been asked many times before, I'm just
> having a bit of a hard time finding answers.
>
> Basically, I need to be able to authenticate downloads based on a URL
> signature if present (passed as a query parameter), instead of via Basic
> authentication (I need to support both of these, but bypass the basic auth
> if no signature is present). It isn't a requirement that they live at the
> same path, so they can be at different virtual hosts/directories if
> necessary.
>
> At first, I thought the best way to do this would be just through a simple
> CGI/WSGI/whatever, but the files I am authenticating access to are very
> large (many GB) and I fear there may be a performance implication of doing
> this (and things like Range requests won't be possible without extra work).
>
> Has anyone had any experience with this? What is the best way to proceed?
> Any help anyone could give would be very much appreciated :)
>
> —Oliver
Hello Oliver,
do you know mod_auth_token?
Christian
--
asknet AG * Vincenz-Priessnitz-Str. 3 * D-76131 Karlsruhe
fon: +49 721 96458 6445 * fax: +49 721 96458 9445 * web: http://www.asknet.com
board of managing directors: Michael Scheib, Dr. Dietmar Waudig, Michael Konrad
chairman of the supervisory board: Dr. Joachim Bernecker * HRB 108713 Mannheim
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Custom authentication?
Posted by Nick Kew <ni...@webthing.com>.
On 4 Jan 2011, at 12:05, MegaBrutal wrote:
> Sorry if I'm wrong. If the user is redirected from a different
> location, is it possible that checking the HTTP Referrer might do the
> work?
No. Try it with privacy settings in your browser, or on your network.
To the OP, what you're asking looks like a session token, which could
be implemented with your choice of session management software.
Anything from an ugly mod_rewrite hack through apache's session
modules to an enterprise appserver.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Custom authentication?
Posted by Oliver Beattie <ol...@obeattie.com>.
Thanks for the suggestion, it's very clever, but we can't run the risk of
allowing unauthenticated access to files I'm afraid. So it looks like pretty
much the only solution is to serve the file with a script — does anyone know
if this is going to impact performance? We have a lot of downloads a day on
files as large as 6GB (the reason I need to move to this model of mirrors
is because it was saturating a 1gbs link).
—Oliver
On 4 January 2011 12:05, MegaBrutal <me...@gmail.com> wrote:
> Sorry if I'm wrong. If the user is redirected from a different
> location, is it possible that checking the HTTP Referrer might do the
> work? Assume, the other server has already authenticated the user, so
> you don't need to authenticate him again; you just grant access to the
> file if its referrer matches with the page that is expected to
> redirect the user to your site. The obvious problem with this,
> however, that it causes loose security. Anyone who knows the address
> of the page that's expected to redirect the user after the
> authentication, may generate a custom HTTP request that fakes a
> referrer header, bypassing the authentication. I think you may still
> verify the authenticity of the user by query parameters, and only by
> such parameters, forgetting the HTTP authentication completely. Yes,
> in that case, Range requests might get trickier; though I guess,
> fetching and interpreting the "Range" header, and performing a seek on
> the file shouldn't make your script much more complicated.
>
>
> 2011/1/4 Oliver Beattie <ol...@obeattie.com>:
> > Actually, that won't work… we need to be able to support clients that do
> not
> > support cookies (APT)
> >
> > —Oliver
> >
> >
> > On 4 January 2011 11:30, Oliver Beattie <ol...@obeattie.com> wrote:
> >>
> >> Thanks for your quick reply… unfortunately I can't set a cookie. Another
> >> machine (different domain) is redirecting the user to this server (auth
> >> happens on that server) and this server is in effect acting as (one of
> >> several identically-configured) mirrors. However, it may be possible to
> >> redirect them to a location on the mirror that sets the cookie?
> >>
> >> —Oliver
> >>
> >>
> >> On 4 January 2011 11:28, Mark Watts <m....@eris.qinetiq.com> wrote:
> >>>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> On 01/04/2011 11:19 AM, Oliver Beattie wrote:
> >>> > Hi there,
> >>> >
> >>> > I am sure this question has likely been asked many times before, I'm
> >>> > just having a bit of a hard time finding answers.
> >>> >
> >>> > Basically, I need to be able to authenticate downloads based on a URL
> >>> > signature if present (passed as a query parameter), instead of via
> >>> > Basic
> >>> > authentication (I need to support both of these, but bypass the basic
> >>> > auth if no signature is present). It isn't a requirement that they
> live
> >>> > at the same path, so they can be at different virtual
> hosts/directories
> >>> > if necessary.
> >>> >
> >>> > At first, I thought the best way to do this would be just through a
> >>> > simple CGI/WSGI/whatever, but the files I am authenticating access to
> >>> > are very large (many GB) and I fear there may be a performance
> >>> > implication of doing this (and things like Range requests won't be
> >>> > possible without extra work).
> >>> >
> >>> > Has anyone had any experience with this? What is the best way to
> >>> > proceed? Any help anyone could give would be very much appreciated :)
> >>> >
> >>> > —Oliver
> >>>
> >>> After authentication, set a cookie with a sensible lifetime (~1 day).
> >>> If the cookie is set and valid allow the download, otherwise redirect
> to
> >>> the login page.
> >>>
> >>> Mark.
> >>>
> >>> - --
> >>> Mark Watts BSc RHCE
> >>> Senior Systems Engineer, MSS Secure Managed Hosting
> >>> www.QinetiQ.com
> >>> QinetiQ - Delivering customer-focused solutions
> >>> GPG Key: http://www.linux-corner.info/mwatts.gpg
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1.4.11 (GNU/Linux)
> >>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> >>>
> >>> iEYEARECAAYFAk0jBFUACgkQBn4EFUVUIO2+lACg25ZDyyLlcM5B6KYU+zB5k/6d
> >>> 23kAn0eWbv+M4Z9vpWWo9yD8TeJl5aiI
> >>> =sGQx
> >>> -----END PGP SIGNATURE-----
> >>
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Custom authentication?
Posted by MegaBrutal <me...@gmail.com>.
Sorry if I'm wrong. If the user is redirected from a different
location, is it possible that checking the HTTP Referrer might do the
work? Assume, the other server has already authenticated the user, so
you don't need to authenticate him again; you just grant access to the
file if its referrer matches with the page that is expected to
redirect the user to your site. The obvious problem with this,
however, that it causes loose security. Anyone who knows the address
of the page that's expected to redirect the user after the
authentication, may generate a custom HTTP request that fakes a
referrer header, bypassing the authentication. I think you may still
verify the authenticity of the user by query parameters, and only by
such parameters, forgetting the HTTP authentication completely. Yes,
in that case, Range requests might get trickier; though I guess,
fetching and interpreting the "Range" header, and performing a seek on
the file shouldn't make your script much more complicated.
2011/1/4 Oliver Beattie <ol...@obeattie.com>:
> Actually, that won't work… we need to be able to support clients that do not
> support cookies (APT)
>
> —Oliver
>
>
> On 4 January 2011 11:30, Oliver Beattie <ol...@obeattie.com> wrote:
>>
>> Thanks for your quick reply… unfortunately I can't set a cookie. Another
>> machine (different domain) is redirecting the user to this server (auth
>> happens on that server) and this server is in effect acting as (one of
>> several identically-configured) mirrors. However, it may be possible to
>> redirect them to a location on the mirror that sets the cookie?
>>
>> —Oliver
>>
>>
>> On 4 January 2011 11:28, Mark Watts <m....@eris.qinetiq.com> wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 01/04/2011 11:19 AM, Oliver Beattie wrote:
>>> > Hi there,
>>> >
>>> > I am sure this question has likely been asked many times before, I'm
>>> > just having a bit of a hard time finding answers.
>>> >
>>> > Basically, I need to be able to authenticate downloads based on a URL
>>> > signature if present (passed as a query parameter), instead of via
>>> > Basic
>>> > authentication (I need to support both of these, but bypass the basic
>>> > auth if no signature is present). It isn't a requirement that they live
>>> > at the same path, so they can be at different virtual hosts/directories
>>> > if necessary.
>>> >
>>> > At first, I thought the best way to do this would be just through a
>>> > simple CGI/WSGI/whatever, but the files I am authenticating access to
>>> > are very large (many GB) and I fear there may be a performance
>>> > implication of doing this (and things like Range requests won't be
>>> > possible without extra work).
>>> >
>>> > Has anyone had any experience with this? What is the best way to
>>> > proceed? Any help anyone could give would be very much appreciated :)
>>> >
>>> > —Oliver
>>>
>>> After authentication, set a cookie with a sensible lifetime (~1 day).
>>> If the cookie is set and valid allow the download, otherwise redirect to
>>> the login page.
>>>
>>> Mark.
>>>
>>> - --
>>> Mark Watts BSc RHCE
>>> Senior Systems Engineer, MSS Secure Managed Hosting
>>> www.QinetiQ.com
>>> QinetiQ - Delivering customer-focused solutions
>>> GPG Key: http://www.linux-corner.info/mwatts.gpg
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>>>
>>> iEYEARECAAYFAk0jBFUACgkQBn4EFUVUIO2+lACg25ZDyyLlcM5B6KYU+zB5k/6d
>>> 23kAn0eWbv+M4Z9vpWWo9yD8TeJl5aiI
>>> =sGQx
>>> -----END PGP SIGNATURE-----
>>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Custom authentication?
Posted by Oliver Beattie <ol...@obeattie.com>.
Actually, that won't work… we need to be able to support clients that do not
support cookies (APT)
—Oliver
On 4 January 2011 11:30, Oliver Beattie <ol...@obeattie.com> wrote:
> Thanks for your quick reply… unfortunately I can't set a cookie. Another
> machine (different domain) is redirecting the user to this server (auth
> happens on that server) and this server is in effect acting as (one of
> several identically-configured) mirrors. However, it may be possible to
> redirect them to a location on the mirror that sets the cookie?
>
> —Oliver
>
>
> On 4 January 2011 11:28, Mark Watts <m....@eris.qinetiq.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 01/04/2011 11:19 AM, Oliver Beattie wrote:
>> > Hi there,
>> >
>> > I am sure this question has likely been asked many times before, I'm
>> > just having a bit of a hard time finding answers.
>> >
>> > Basically, I need to be able to authenticate downloads based on a URL
>> > signature if present (passed as a query parameter), instead of via Basic
>> > authentication (I need to support both of these, but bypass the basic
>> > auth if no signature is present). It isn't a requirement that they live
>> > at the same path, so they can be at different virtual hosts/directories
>> > if necessary.
>> >
>> > At first, I thought the best way to do this would be just through a
>> > simple CGI/WSGI/whatever, but the files I am authenticating access to
>> > are very large (many GB) and I fear there may be a performance
>> > implication of doing this (and things like Range requests won't be
>> > possible without extra work).
>> >
>> > Has anyone had any experience with this? What is the best way to
>> > proceed? Any help anyone could give would be very much appreciated :)
>> >
>> > —Oliver
>>
>> After authentication, set a cookie with a sensible lifetime (~1 day).
>> If the cookie is set and valid allow the download, otherwise redirect to
>> the login page.
>>
>> Mark.
>>
>> - --
>> Mark Watts BSc RHCE
>> Senior Systems Engineer, MSS Secure Managed Hosting
>> www.QinetiQ.com
>> QinetiQ - Delivering customer-focused solutions
>> GPG Key: http://www.linux-corner.info/mwatts.gpg
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk0jBFUACgkQBn4EFUVUIO2+lACg25ZDyyLlcM5B6KYU+zB5k/6d
>> 23kAn0eWbv+M4Z9vpWWo9yD8TeJl5aiI
>> =sGQx
>> -----END PGP SIGNATURE-----
>>
>
>
Re: [users@httpd] Custom authentication?
Posted by Oliver Beattie <ol...@obeattie.com>.
Thanks for your quick reply… unfortunately I can't set a cookie. Another
machine (different domain) is redirecting the user to this server (auth
happens on that server) and this server is in effect acting as (one of
several identically-configured) mirrors. However, it may be possible to
redirect them to a location on the mirror that sets the cookie?
—Oliver
On 4 January 2011 11:28, Mark Watts <m....@eris.qinetiq.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/04/2011 11:19 AM, Oliver Beattie wrote:
> > Hi there,
> >
> > I am sure this question has likely been asked many times before, I'm
> > just having a bit of a hard time finding answers.
> >
> > Basically, I need to be able to authenticate downloads based on a URL
> > signature if present (passed as a query parameter), instead of via Basic
> > authentication (I need to support both of these, but bypass the basic
> > auth if no signature is present). It isn't a requirement that they live
> > at the same path, so they can be at different virtual hosts/directories
> > if necessary.
> >
> > At first, I thought the best way to do this would be just through a
> > simple CGI/WSGI/whatever, but the files I am authenticating access to
> > are very large (many GB) and I fear there may be a performance
> > implication of doing this (and things like Range requests won't be
> > possible without extra work).
> >
> > Has anyone had any experience with this? What is the best way to
> > proceed? Any help anyone could give would be very much appreciated :)
> >
> > —Oliver
>
> After authentication, set a cookie with a sensible lifetime (~1 day).
> If the cookie is set and valid allow the download, otherwise redirect to
> the login page.
>
> Mark.
>
> - --
> Mark Watts BSc RHCE
> Senior Systems Engineer, MSS Secure Managed Hosting
> www.QinetiQ.com
> QinetiQ - Delivering customer-focused solutions
> GPG Key: http://www.linux-corner.info/mwatts.gpg
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0jBFUACgkQBn4EFUVUIO2+lACg25ZDyyLlcM5B6KYU+zB5k/6d
> 23kAn0eWbv+M4Z9vpWWo9yD8TeJl5aiI
> =sGQx
> -----END PGP SIGNATURE-----
>
Re: [users@httpd] Custom authentication?
Posted by Mark Watts <m....@eris.qinetiq.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/04/2011 11:19 AM, Oliver Beattie wrote:
> Hi there,
>
> I am sure this question has likely been asked many times before, I'm
> just having a bit of a hard time finding answers.
>
> Basically, I need to be able to authenticate downloads based on a URL
> signature if present (passed as a query parameter), instead of via Basic
> authentication (I need to support both of these, but bypass the basic
> auth if no signature is present). It isn't a requirement that they live
> at the same path, so they can be at different virtual hosts/directories
> if necessary.
>
> At first, I thought the best way to do this would be just through a
> simple CGI/WSGI/whatever, but the files I am authenticating access to
> are very large (many GB) and I fear there may be a performance
> implication of doing this (and things like Range requests won't be
> possible without extra work).
>
> Has anyone had any experience with this? What is the best way to
> proceed? Any help anyone could give would be very much appreciated :)
>
> —Oliver
After authentication, set a cookie with a sensible lifetime (~1 day).
If the cookie is set and valid allow the download, otherwise redirect to
the login page.
Mark.
- --
Mark Watts BSc RHCE
Senior Systems Engineer, MSS Secure Managed Hosting
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0jBFUACgkQBn4EFUVUIO2+lACg25ZDyyLlcM5B6KYU+zB5k/6d
23kAn0eWbv+M4Z9vpWWo9yD8TeJl5aiI
=sGQx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org