I’m building an application for a company that has thousands of clients,
and
for each client there will a set of documents that are private to that
client. Rails makes it easy, of course, to show the list of documents on
a
per-client basis, using acts_as_authenticated and using current_user as
part
of the find any time a document list is displayed.
The part for which I’m looking for the best solution is access to the
documents themselves. My simple implementation has the Rails view
showing a
series of links to the files (which are word, excel, and powerpoint
documents). The problem is that Rails isn’t involved at all in the
actual
document delivery, since these static files are served directly from
Apache.
So anyone who gets, or guesses, the URL can access these files without
authentication.
I’ve come up with three possible solutions and would appreciate hearing
what
others have done, and whether there are holes that I’m missing, or
another
approach I’ve missed.
Security by obscurity. Use long random strings for the directory and
file
names. This is probably secure enough in practice, but certainly isn’t
secure in theory and doesn’t feel quite right.
Deliver the static files via Rails. Put the documents in a directory
tree
outside of public and use a Rails action to read the file and deliver it
to
the browser. This seems like it would be secure, and doesn’t require any
Apache configuration, but it would dramatically increase the server load
when these files are viewed. I’m not sure whether that would be a real
issue
or not.
Referrer-based blocking in Apache. Set the Apache config to prohibit
access to the documents directories if the referrer is not the Rails
view
that renders the list of files from the database. This seems like
potentially the best solution but I’m wondering if there’s any security
hole
here that I’m missing. One weakness is that some people seem to have
their
web browser set to not provide a referrer, and those people wouldn’t be
able
to access the documents.
and powerpoint documents). The problem is that Rails isn’t involved
certainly isn’t secure in theory and doesn’t feel quite right.
Yeah this is not a satisfactory solution.
Deliver the static files via Rails. Put the documents in a
directory tree outside of public and use a Rails action to read the
file and deliver it to the browser. This seems like it would be
secure, and doesn’t require any Apache configuration, but it would
dramatically increase the server load when these files are viewed.
I’m not sure whether that would be a real issue or not.
You don’t want to do this by reading the whole file in inside rails
and then streaming it out, that will skyrocket your memory consumption.
Referrer-based blocking in Apache. Set the Apache config to
prohibit access to the documents directories if the referrer is not
the Rails view that renders the list of files from the database.
This seems like potentially the best solution but I’m wondering if
there’s any security hole here that I’m missing. One weakness is
that some people seem to have their web browser set to not provide
a referrer, and those people wouldn’t be able to access the documents.
This won’t work in all situation so it’s not a viable option either.
I’d appreciate any suggestions.
A few ways to skin this cat. The most efficient way is to use X-
Sendfile header with lighttpd or the X-Accell-Redirect feature of
nginx. I recommend nginx. THe way this works is that a request for a
file goes to your rails app so you can authenticate the request, but
all your rails action has to do is set a response header with the
path to a file somehwere outside of your publiuc/ dir. THen the front
end nginx server will see that header and serve the file directly.
Or you can use a gem called mongrel_secure_download . This is a
custom mongrel handler that allows for the same type of thing but all
in the same mongrel process. So this doesn’t require interaction with
a front end webserver, but it still lets mongrel serve the files
fairly fast by streaming them and not reading the whole thing into
memory at once.
Good luck!
Cheers-
– Ezra Z.
– Lead Rails Evangelist
– [email protected]
– Engine Y., Serious Rails Hosting
– (866) 518-YARD (9273)
Note, however, that you must be running Apache2, and your Apache must be
compiled to support DSOs (I believe all Apache2 standard installs do
support this). This further implies that you must control the server,
which it seems you do.
Sorry for my obscurity in the answer, don’t know how else to explain it.
That should work though I reckon. Never used respond_to for anything but
rails files though.
That’ll lead to high memory usage, depending on the sizes of the
files. In general, I’d stay away from send_data or the send_file
methods. I’ve seen mongrel sizes over 1GB from serving files up to
200MB. I switched it to a heavily modified mongrel_secure_download
handler and all was right in the world.
Thanks everyone for your suggestions. I’m running at Rails Machine and
would like to stick with their standard stack, which includes Apache
2.2, so it sounds like mod_xsendfile is the way to go.
