


Python's Flask framework and Nginx implement static file access restriction functions
Nginx configuration
Ngnix, a high-performance web server, is undoubtedly the darling of the moment. Excellent performance, flexible and scalable, conquering cities and conquering the world in the server field.
Static files are an integral part of most websites. Using Nginx to process static files is also a common way. However, some static files we do not expose to any user under any circumstances. For example, some files provided for users to download, some pictures uploaded by users that involve user privacy, etc. We want users to be able to access it when they are logged in, but not visible to users who are not logged in.
For rough processing, the back-end program can perform filtering. When rendering the page, the user login is verified in the view logic, and then the corresponding page is returned. For example, the following flask code (pseudocode)
@app.router('/user/idcard'): def user_idcard_page(): if user is login: return '<img src="http://files.jb51.net/upload/user/xxx.png'>" else: reutrn '<p>Pemission Denied<p>', 403
But there is another problem with this kind of processing. Static files are processed by nginx. If the hacker finds the absolute address of the file, directly visit http://www.example.com/upload/user/xxx.png It's also possible. It just so happens that these files involve user privacy, such as ID photos uploaded by users. Then the coders don't want the media to report the next day that the well-known website XXX has a vulnerability and that Hacker obtained the user's ID card and other information.
In order to achieve such restrictions, you can use a small function of Nginx----XSendfile. The principle is also relatively simple, probably using request redirection.
We know that if you use Nginx as a reverse proxy for the server front-end, when a request comes in, nginx will catch it first, and then forward it to the back-end program for processing according to the rules, or directly process and return. The former handles some dynamic logic, while the latter mostly handles static files. Therefore, in the above example, if the absolute address of the static file is directly accessed, Nginx will return it directly without calling the user_idcard_page of the backend for logical restrictions.
In order to solve this problem, the XSendfile function provided by nginx simply uses the internal directive. This instruction indicates that only internal requests, that is, requests forwarded by the backend, will be accepted. In the back-end view logic, the X-Accel-Redirect header information needs to be explicitly written.
The pseudo code is as follows:
location /upload/(.*) { alias /vagrant/; internal; } @app.router('upload/<filename>') @login_required def upload_file(filename): response = make_response() response['Content-Type'] = 'application/png' response['X-Accel-Redirect'] = '/vagrant/upload/%s' % filename return response
After such processing, static resources can be redirected. This kind of usage is relatively common, and many download servers can use this method to handle downloads based on user permissions.
Flask
Flask is my favorite web framework. Flask even implements a sendfile method, which is simpler than the above method. I used Vagrant to make a virtual machine and used Flask to achieve the above requirements. The specific code is as follows:
Project Structure
project struct project app.py templates static 0.jpeg upload 0.jpeg
nginx configuration nginx conf
web.conf
server { listen 80 default_server; # server_name localhost; server_name 192.168.33.10; location / { proxy_pass http://127.0.0.1:8888; proxy_redirect off; proxy_set_header Host $host:8888; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # 正常的静态文件 location /static/(.*) { root /vagrant/; } # 用户上传的文件,需要做权限限制 location /upload/(.*) { alias /vagrant/; internal; # 只接受内部请求的指令 } }
Flask code
app.py
from functools import wraps from flask import Flask, render_template, redirect, url_for, session, send_file app = Flask(__name__) app.config['SECRET_KEY'] = 'you never guess' def login_required(f): @wraps(f) def decorated_function(*args, **kwargs): if not session.get('login'): return redirect(url_for('login', next=request.url)) return f(*args, **kwargs) return decorated_function @app.route('/') def index(): return 'index' @app.route('/user') @login_required def user(): return render_template('upload.html') # 用户上传的文件视图处理,在此处返回请求给nginx @app.route('/upload/<filename>') @login_required def upload(filename): return send_file('upload/{}'.format(filename)) @app.route('/login') def login(): session['login'] = True return 'log in' @app.route('/logout') def logout(): session['login'] = False return 'log out' if __name__ == '__main__': app.run(debug=True)
Simple deployment
gunicorn -w4 -b0.0.0.0:8888 app:app --access-logfile access.log --error-logfile error.log

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.

PHP is suitable for web development and rapid prototyping, and Python is suitable for data science and machine learning. 1.PHP is used for dynamic web development, with simple syntax and suitable for rapid development. 2. Python has concise syntax, is suitable for multiple fields, and has a strong library ecosystem.

Python is more suitable for beginners, with a smooth learning curve and concise syntax; JavaScript is suitable for front-end development, with a steep learning curve and flexible syntax. 1. Python syntax is intuitive and suitable for data science and back-end development. 2. JavaScript is flexible and widely used in front-end and server-side programming.

PHP originated in 1994 and was developed by RasmusLerdorf. It was originally used to track website visitors and gradually evolved into a server-side scripting language and was widely used in web development. Python was developed by Guidovan Rossum in the late 1980s and was first released in 1991. It emphasizes code readability and simplicity, and is suitable for scientific computing, data analysis and other fields.

VS Code can run on Windows 8, but the experience may not be great. First make sure the system has been updated to the latest patch, then download the VS Code installation package that matches the system architecture and install it as prompted. After installation, be aware that some extensions may be incompatible with Windows 8 and need to look for alternative extensions or use newer Windows systems in a virtual machine. Install the necessary extensions to check whether they work properly. Although VS Code is feasible on Windows 8, it is recommended to upgrade to a newer Windows system for a better development experience and security.

VS Code can be used to write Python and provides many features that make it an ideal tool for developing Python applications. It allows users to: install Python extensions to get functions such as code completion, syntax highlighting, and debugging. Use the debugger to track code step by step, find and fix errors. Integrate Git for version control. Use code formatting tools to maintain code consistency. Use the Linting tool to spot potential problems ahead of time.

Running Python code in Notepad requires the Python executable and NppExec plug-in to be installed. After installing Python and adding PATH to it, configure the command "python" and the parameter "{CURRENT_DIRECTORY}{FILE_NAME}" in the NppExec plug-in to run Python code in Notepad through the shortcut key "F6".

VS Code extensions pose malicious risks, such as hiding malicious code, exploiting vulnerabilities, and masturbating as legitimate extensions. Methods to identify malicious extensions include: checking publishers, reading comments, checking code, and installing with caution. Security measures also include: security awareness, good habits, regular updates and antivirus software.
