Sending private files

[thijs]

I'm wondering if Litespeed has feature similar to lighttpd's x-send-file option.

If you turn the option on and the Rails app sends a X-LIGHTTPD-send-file header with a path Lighttpd transfers the file to the client.

I'm using the send_file Rails method now, but this is quite expensive since it does all the IO in ruby, just setting the header and letting Litespeed handle the rest wouldn't stall the Ruby process.

Is there such a feature?

 

[dlhhyct]

it's an enterprise edition feature

http://www.litespeedtech.com/products/webserver/editions/

from that page, i believe it's an enterprise edition feature, 30 days trial is available.

 

[mistwang]

For that purpose, you can just set a location header with the corresponding URI to that file in the response header.
Like:

Location:/static/myfile

LSWS will perform a internal redirect and send the file back to client, do not set status header or the HTTP status line, otherwise, LSWS will perfrom a external redirect by sending back a redirect response to client.

The difference between "X-LIGHTTPD-send-file" header and "Location" header is that URI should be used in Location instead of the full path to the file.

 

[thijs]

For that purpose, you can just set a location header with the corresponding URI to that file in the response header.
Like:

Location:/static/myfile

LSWS will perform a internal redirect and send the file back to client, do not set status header or the HTTP status line, otherwise, LSWS will perfrom a external redirect by sending back a redirect response to client.

The difference between "X-LIGHTTPD-send-file" header and "Location" header is that URI should be used in Location instead of the full path to the file.

That's not exactly what I'm looking for. The idea is that files are only sent to users that are authorized to download the file. The files shouldn't be in a public location so people can't paste the url in an email and let someone else download the file.

There may for example be a url /document/download/1. This checks if the current user has permissions to download and only sends the file if this is the case.

 

[mistwang]

You can use a hard to guess URI, URI is not visible to user when LSWS perform an internal redirect, user only see the original URL to Rails, authentication can be done in Rails.

There is security concern if arbitrary file location is allowed.

 

[thijs]

Hm indeed, I could just deny all access except from localhost as an extra security measure.