daniel.merino at unavarra
Jun 29, 2012, 5:04 AM
Post #5 of 7
Re: Secure htaccess in a non-SSL Apache (and withoutDigest...)
[In reply to]
Having that Apache is serving the file and that we want only to protect
several files placed on a specifical folder, your suggestion of adding
some token to URLs pointing at that folder, and make Apache to deliver
them, seems to be a good solution.
You have talked about perl and mod_perl. I understand that you can
override htaccess to use a self-made bit of Perl code that process it
and check the token. Is this right?
I know very little about Apache programming. Do you have by chance some
code example of these 5 lines of Perl that would check GET_URL?
Thanks in advance.
Alex Bligh escribió:
> --On 29 June 2012 10:38:24 +0200 Daniel Merino
> <daniel.merino [at] unavarra> wrote:
>> I'm not sure to understand at all this approach, but anyway, I think
>> will not be valid for us.
>> Drupal's restricted access to the video works fine, but in the moment
>> that some authorized user can see the video, he can see the video's URL
>> in the page or in the embed code that we publish for every video.
>> So if that user pastes the URL in the browser, he has direct access to
>> the video. Drupal doesn't notice this access and is Apache who must
>> handle it.
>> And Apache's protection is sent in plain text unless we serve the video
>> over SSL.
> The answer here really is 'well don't do that then'. Quite apart from
> anything else, do you really want credentials (even with digest auth)
> over http at all?
> Rather than use http authentication to mediate access to the video, use a
> token (that can be in the GET URL, in a cookie, whatever) to prove
> that the
> user is authorised to serve that video, and get Drupal / whatever to
> it. Ensure that access via the 'URL' (meaning the URL without the token)
> just does not work. If your token is (e.g.) 256 bits, and linked in the
> manner I described to a particular user, video, and time period, then
> (a) if it is intercepted, the worst that can happen is someone gets
> to one video for 10 second interval, and (b) no user credentials are
> in the plain - you can even hide the username. Guessing 256 bit numbers
> is not easy.
> (re my previous reply, you might want to hash the video name too in
> case that was not obvious)
> I'm not familiar with Drupal but I am with Wordpress, and you'd just
> write a bit of php to do it. If what you are saying is that Apache is
> serving a file, 5 lines of perl and mod_perl can check a GET URL in the
> manner I suggested.
> If you really want to use custom authentication, you can do that
> either by
> writing your own authentication module (which I've done several times
> in C)
> or use mod_auth_external or similar. However, be warned: you may find the
> storage format used is fundamentally incompatible (at an algorithm level
> rather than a code level) with digest authentication. You might find it
> easier to switch Drupal to using digest authentication too. I have no
> whether that is possible.
Daniel Merino Echeverría
daniel.merino [at] unavarra
Gestor de teleformación - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.
Nos creíamos que ibamos a cambiar el mundo y casi no podemos cambiar ni
de compañía de móvil. (Forges)
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd