I have 2 servers for one site. First server have php and mysql but second server only have php (is download host).
My site is about selling videos and because the first server is restricted (Monthly traffic and space), I need to upload videos on second server. All videos must be have dynamic link and all links must be disposable.
Example:
User1 bought video abc, this user have below link to download: http://example.com/1enewk3hd (refers to
http://example.com/files/video_abc.mp4)
User2 bought video abc, this user have below link to download: http://example.com/sddfse445 (refers to
http://example.com/files/video_abc.mp4)
Users must be can't download video by real link http://example.com/files/video_abc.mp4
My Questions
Is able this scenario on 2 server (without mysql) by PHP and htaccess?
If yes, Please guide me what's the best way to authentication user on
second server then access to download file (without mysql)
On some sites, When user logged in on server 1, can download from
server 2. If logout from server 1, then can't access to server 2.
How do this? We can't use session from server 1 on server 2!
Let the first server do the authentication.
Create on the first server links, which are valid for x minutes. Protect that link for manipulations with a hash.
hash=sha256(validuntil+shared secret on both servers)
Sample:
https://server2/video_abc.mp4?validuntil=2017-08-07_160000&hash=ABC123EF5244
(in my sample i would also use mod_rewrite for a nice url)
Now redirect the client to the new server with the generated link.
A php script validates the query parameter "validuntil" and "hash" by using the shared secret. then check if validuntil is expired or not.
if not stream the file. do not place the streamed files into the webroot.
They are send by the php script with readfile or by your webserver if you are able to use x-sendfile header.
Related
I sell video in my website. users must pay to have access to files (to download or stream them online)
problem: the video files are not on my main server! i store them on another server.(special server for download. i don't want to use the bandwidth of my main server) i don't want to provide the users with the direct link. (not to let them share the links with others...). how can i let them to download the files or stream the videos without giving them the direct links?
points:
- I can not have database(mysql) in my download server.
- i don't want to use the bandwidth of my main site. just checking payments and controlling user accounts.
- streaming is not so important. but i have to let them download the files.
- i have seen in woo commerce plugin(wordpress) which creates temporary download links even for remote server. i checked solutions for temp download link but all works for the same server not remote one....
The easiest way I think this could happen is:
The public server must be able to establish an SSH (preferably) connection to the other server with appropriate permissions.
Upon successful request, create a random symlink pointing to the original file.
Store the symlink filename in a database, and save the user's IP as well - or some other unique identifier (or md5'd IP + User Agent - it's up to you).
If the request is valid (matches the record in the database), let him download the file. Otherwise redirect him to an error page.
Set up a cron to delete symlinks older than X hours.
So, here's my scenario:
I have a site where I can stream a live video feed from. The site is hosted using Apache, PHP, and MySQL. Users can log in to get access to the site through accounts stored in a mysql db. When going to the page where a user can actually watch the stream, the site is using jwplayer to load() a specific URL. The stream itself comes from an internal server process on another port. However, due to jwplayer being instantiated on the client side, I must pass a URL to it that is accessible remotely. For right now, I'm using Apache ProxyPass to proxy this url to the internal server process and that works just fine. The problem is that anyone could simply type in this url passed to jwplayer into VLC (as an example) and get the stream no problem.
Is there a way I can "proxy" a request to the internal server process using PHP where I can first authenticate the current user from the mysql db?
I've tried using Basic Apache Auth on the specific url path and that DOES prompt for a basic auth username and password. That works to prevent someone from hot-linking to my stream in VLC. However, I don't want users to have to use the basic auth login style and I'd like to continue using my mysql db authentication system. Is there a simple way that I can authenticate a user for the Apache Basic auth from a successful login to a PHP page?
Thanks.
I have an ASP page, in which the user chooses a value (e.g drawingId) from a list box, and according to this value, ASP builds/calculates a file path, e.g. c:\drawings\file1.pdf, in order to show this pdf file to the user. This path refers to the client's computer, where these pdf files are stored. The server queries the database and knows only the association between the drawingId and the path at the client's computer.
How can I open this pdf file?
I've read similar questions, like How can my web application written in Java open a file on the client side? or Can javascript access a filesystem?, but I haven't understood how to proceed.
I would like this to work with all browsers and also implement this functionality in a PHP site.
Use file:///
e.g. file:///c:/filename.pdf
Well I guess after user selects option from a list box, you could construct the path and redirect user to that path which should open the pdf file
eg.
file:///C:/foldername/filename.pdf
it not possible to open client side file from server side code as it running at server side, also due to some security reason browser does not allow to browse client location
refer link Open local folder from link
I have a bucket with files in it in AS3. I have access to the PHP API and a server that can send requests to Amazon on command.
What I want to do is grant access to a file in my bucket using an HTTP GET/POST request. From what I understand using this function:
get_object_url ( $bucket, $filename, $preauth, $opt )
I can make the file publicly accessible for the $preauth amount of time at a given URL. I don't want to do that, I want the file to be privately available at a URL with required POST or GET credentials (deciding who can access the file would be based on a database containing application 'users' and their permissions). I understand the security implications of passing any kind of credentials over GET or POST on a non-HTTPS connection.
Is this possible? I could just download the file from AS3 to my server for the extent of the transaction then do all the controls on my own box, but that's an expensive solution (two file downloads instead of one, when my server shouldn't have had to do a download at all) to a seemingly easy problem.
The short answer is no.
You could look at Amazons IAM for some more ways to secure the content especially in conjunction with Cloudfront but essentially there is no way to provide access to content by passing along a username and password.
Of course, if you are already authenticating users on your site, then you can only supply the signed url to those users. The url only has to be valid at the time the user initiates the download and not for the entire duration of the download.
Also, if you intend to use your server as a proxy between S3 and the user you'll be removing a lot of the benefits of using S3 in the first place. But you could use EC2 as the server to remove the extra cost you mentioned - transfers between S3 and EC2 are free.
I would like to start a upload and download website for huge files (up to 1gb). I thought that it would be better to download the files using FTP (with PHP), because this protocol is especially used for these types of transfers.
The cliƫnt gets an email, including a download link to download the file (like yousendit.com). When they click on the link a download box appears. My problem is that I don't know how to show a download box using ftp and php. I have read that it isn't possible to immediately download a file by PHP, using FTP. Is this correct?
Do I have to create a temporary files on the server to let the client download the file? If yes, is this also a good solution for huge files?
What do you advice me to give the clients the possibility to download these huge files?
Thanks for your reply!
You can generate unique address based on session_id (create this folder on runtime and move huge file there) and redirect user to this link
For example, you have file huge.tgz
1. Send you client link http://***/user/john/file/huge.tgz
2. Ask user for auth in this page if they lost session
3. get session id
4. create on your server folder with name equals session id and move huge.tgz here
5. redirect user to unique ftp link ftp://***/17oe5kf8iYmpt66bjs89hcuo83/huge.tgz
You should disallow list files and directories on ftp server
Can't you send them an FTP link ? Why do you need PHP?
ftp://ftp12.freebsd.org/pub/FreeBSD/ls-lR.gz
You probably want to use PHP to handle everything but the file transfer. Once you have done all the checks you want you can redirect the browser to the file specifying the protocol as ftp. though you won't be able to have a progression bar in your site, the browser/ftp app will probably display one.