Python's Flask framework and Nginx implement static file access restriction functions

Nginx configuration

Ngnix, a high-performance web server, is undoubtedly the darling of the moment. Excellent performance, flexible and scalable, conquering cities and conquering the world in the server field.

Static files are an integral part of most websites. Using Nginx to process static files is also a common way. However, some static files we do not expose to any user under any circumstances. For example, some files provided for users to download, some pictures uploaded by users that involve user privacy, etc. We want users to be able to access it when they are logged in, but not visible to users who are not logged in.

For rough processing, the back-end program can perform filtering. When rendering the page, the user login is verified in the view logic, and then the corresponding page is returned. For example, the following flask code (pseudocode)

@app.router('/user/idcard'):
def user_idcard_page():
 if user is login:
  return '<img  src="/static/imghwm/default1.png"  data-src="http://files.jb51.net/upload/user/xxx.png' alt="Python's Flask framework and Nginx implement static file access restriction functions" >"  class="lazy">"
 else:
  reutrn '<p>Pemission Denied<p>', 403

But there is another problem with this kind of processing. Static files are processed by nginx. If the hacker finds the absolute address of the file, directly visit http://www.example.com/upload/user/xxx.png It's also possible. It just so happens that these files involve user privacy, such as ID photos uploaded by users. Then the coders don't want the media to report the next day that the well-known website XXX has a vulnerability and that Hacker obtained the user's ID card and other information.

In order to achieve such restrictions, you can use a small function of Nginx----XSendfile. The principle is also relatively simple, probably using request redirection.

We know that if you use Nginx as a reverse proxy for the server front-end, when a request comes in, nginx will catch it first, and then forward it to the back-end program for processing according to the rules, or directly process and return. The former handles some dynamic logic, while the latter mostly handles static files. Therefore, in the above example, if the absolute address of the static file is directly accessed, Nginx will return it directly without calling the user_idcard_page of the backend for logical restrictions.

In order to solve this problem, the XSendfile function provided by nginx simply uses the internal directive. This instruction indicates that only internal requests, that is, requests forwarded by the backend, will be accepted. In the back-end view logic, the X-Accel-Redirect header information needs to be explicitly written.

The pseudo code is as follows:

location /upload/(.*) {
  alias /vagrant/;
  internal;
}

@app.router('upload/<filename>')
@login_required
def upload_file(filename):
 response = make_response()
 response['Content-Type'] = 'application/png'
 response['X-Accel-Redirect'] = '/vagrant/upload/%s' % filename
 return response

After such processing, static resources can be redirected. This kind of usage is relatively common, and many download servers can use this method to handle downloads based on user permissions.

Flask

Flask is my favorite web framework. Flask even implements a sendfile method, which is simpler than the above method. I used Vagrant to make a virtual machine and used Flask to achieve the above requirements. The specific code is as follows:

Project Structure

project struct

project
 app.py
 templates
 static
 0.jpeg
 upload
 0.jpeg

nginx configuration nginx conf

web.conf

server {
  listen 80 default_server;

  # server_name localhost;
  server_name 192.168.33.10;
  location / {
    proxy_pass http://127.0.0.1:8888;
    proxy_redirect off;
    proxy_set_header Host $host:8888;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
  # 正常的静态文件
  location /static/(.*) {
    root /vagrant/;

  }
  # 用户上传的文件，需要做权限限制
  location /upload/(.*) {
    alias /vagrant/;
    internal;    # 只接受内部请求的指令
  }
}

Flask code

app.py

from functools import wraps
from flask import Flask, render_template, redirect, url_for, session, send_file

app = Flask(__name__)

app.config['SECRET_KEY'] = 'you never guess'

def login_required(f):
 @wraps(f)
 def decorated_function(*args, **kwargs):
  if not session.get('login'):
   return redirect(url_for('login', next=request.url))
  return f(*args, **kwargs)
 return decorated_function

@app.route('/')
def index():
 return 'index'


@app.route('/user')
@login_required
def user():

 return render_template('upload.html')

# 用户上传的文件视图处理，在此处返回请求给nginx
@app.route('/upload/<filename>')
@login_required
def upload(filename):

 return send_file('upload/{}'.format(filename))


@app.route('/login')
def login():
 session['login'] = True
 return 'log in'

@app.route('/logout')
def logout():
 session['login'] = False
 return 'log out'


if __name__ == '__main__':
 app.run(debug=True)

Simple deployment

gunicorn -w4 -b0.0.0.0:8888 app:app --access-logfile access.log --error-logfile error.log