带有身份验证的Django跨域媒体

情况：您从与主Web应用程序域不同的域（好主意）提供媒体文件。您想使用nginx的内部重定向（X-Accel-Redirect）来授权媒体文件的分发。

问题：您无法访问媒体域上的用户会话，无法验证或授权媒体访问。

解决方案：您使用带有过期令牌的媒体URL进行处理，该令牌临时授权访问，并在需要时通过重定向刷新。

HTTP视图

以下是其在HTTP中的工作方式

1. -> GET media.example.org/path/file.pdf
2. <- 302 www.example.com/path/file.pdf
3. -> GET www.example.com/path/file.pdf
   • 如果没有授权 <- 403
   • 如果已授权 <- 302 media.example.org/path/file.pdf?token=XYZ
4. -> GET media.example.org/path/file.pdf?token=XYZ
5. <- 200 file.pdf
6. 过期后 -> GET media.example.org/path/file.pdf?token=XYZ
7. 请参阅步骤2

Django中的应用

# Development
MEDIA_URL = '/media/'

# Production

MEDIA_URL = 'https://media.example.org/media/
INTERNAL_MEDIA_PREFIX = '/protected/'

from crossdomainmedia import (
    CrossDomainMediaAuth, CrossDomainMediaMixin
)


class CustomCrossDomainMediaAuth(CrossDomainMediaAuth):
    '''
    Create your own custom CrossDomainMediaAuth class
    and implement at least these methods
    '''
    SITE_URL = 'https://www.example.com'

    def is_media_public(self):
        '''
        Determine if the media described by self.context
        needs authentication/authorization at all
        '''
        return self.context['object'].is_public

    def get_auth_url(self):
        '''
        Give URL path to authenticating view
        for the media described in context
        '''
        obj = self.context['object']
        raise reverse('view-name', kwargs={'pk': obj.pk})

    def get_media_file_path(self):
        '''
        Return the file path relative to MEDIA_ROOT
        '''
        obj = self.context['object']
        return obj.file.name


class CustomDetailView(CrossDomainMediaMixin, DetailView):
    '''
    Add the CrossDomainMediaMixin
    and set your custom media_auth_class
    '''
    media_auth_class = CustomCrossDomainMediaAuth

一些其他有用的方法

# Get your media URLs with token outside of view
mauth = CustomCrossDomainMediaAuth({'object': obj})
mauth.get_full_media_url(authorized=True)

# Send file via nginx internal redirect response
mauth.send_internal_file()

Nginx配置

这是一个Nginx配置可能的样子。

server {
    # Web server with session on domain
    listen              443 ssl http2;
    server_name         www.example.com;
    # ...

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host;
        # etc...

        proxy_pass wsgi_server;
    }
}

server {
    # Media server with no session on domain

    listen 443 ssl http2;
    server_name media.example.org;
    # ...

    location /media/ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host;
        # etc...

        proxy_pass wsgi_server;
    }

    location /protected {
        internal;

        alias /var/www/media-root;
    }
}