Cross-Domain Media with authentication for Django
The situation: You serve media files from a different domain than your main web application domain (good idea). You want to use nginx's internal redirect (X-Accel-Redirect) to authorize media file delivery.
The problem: You don't have access to the user's session on the media domain and can't authenticate or authorize media access.
The solution: You handle media URLs with an expiring token attached which temporarily authorizes access and can be refreshed via redirects when needed.
HTTP View
Here's how it works in HTTP:
- -> GET media.example.org/path/file.pdf
- <- 302 www.example.com/path/file.pdf
- -> GET www.example.com/path/file.pdf
- if not authorized <- 403
- if authorized <- 302 media.example.org/path/file.pdf?token=XYZ
- -> GET media.example.org/path/file.pdf?token=XYZ
- <- 200 file.pdf
- after expiry -> GET media.example.org/path/file.pdf?token=XYZ
- See step 2
Use in Django
# Development
MEDIA_URL = '/media/'
# Production
MEDIA_URL = 'https://media.example.org/media/
INTERNAL_MEDIA_PREFIX = '/protected/'from crossdomainmedia import (
CrossDomainMediaAuth, CrossDomainMediaMixin
)
class CustomCrossDomainMediaAuth(CrossDomainMediaAuth):
'''
Create your own custom CrossDomainMediaAuth class
and implement at least these methods
'''
SITE_URL = 'https://www.example.com'
def is_media_public(self):
'''
Determine if the media described by self.context
needs authentication/authorization at all
'''
return self.context['object'].is_public
def get_auth_url(self):
'''
Give URL path to authenticating view
for the media described in context
'''
obj = self.context['object']
raise reverse('view-name', kwargs={'pk': obj.pk})
def get_media_file_path(self):
'''
Return the file path relative to MEDIA_ROOT
'''
obj = self.context['object']
return obj.file.name
class CustomDetailView(CrossDomainMediaMixin, DetailView):
'''
Add the CrossDomainMediaMixin
and set your custom media_auth_class
'''
media_auth_class = CustomCrossDomainMediaAuthSome other useful methods
# Get your media URLs with token outside of view
mauth = CustomCrossDomainMediaAuth({'object': obj})
mauth.get_full_media_url(authorized=True)
# Send file via nginx internal redirect response
mauth.send_internal_file()Nginx config
This is how an Nginx config could look like.
server {
# Web server with session on domain
listen 443 ssl http2;
server_name www.example.com;
# ...
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
# etc...
proxy_pass wsgi_server;
}
}
server {
# Media server with no session on domain
listen 443 ssl http2;
server_name media.example.org;
# ...
location /media/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
# etc...
proxy_pass wsgi_server;
}
location /protected {
internal;
alias /var/www/media-root;
}
}
