I'm building a MYSQL database driven website on a AWS EC2 instance. Users can submit their data and we will automatically create a web page for them. The webpage will display their submitted data including a photo. Upon original submission of the user's data, we store the photo in S3 using AWSSDKforPHP. When their information is approved by an administrator a webpage is created via a php script.
I've tried the method of generating a signed url. This however requires a expiration time. Is there a way around this? It also includes your access and secret key in the request. Not sure if that is the most secure way to do things. I'd like the method to be as secure as possible so I don't want to make the bucket public. Unless there is a way to make the stored images available only for viewing.
What's the best method to use in a situation like this? Thanks for your help!!
Basically URLs to amazon S3 buckets are s3.amazonaws/bucket_name/key_name all you need to do is make sure the content on those buckets is publicly available and that mime type for those keys is indeed image (image/jpeg or image/png)
I used this web tool to manage my site. I opend my bucket just to its ip and now i can control the restriction from the tool, for the basic viewer I gave read access only
Related
I have to build an application where users can download videos from a site but cannot share them. My first solution is to save these files in a hidden location on the users computer since one of the requirements is that the user should be able to watch the downloaded videos offline.
Please how do I go about saving a file in a location the user cannot see using php.
Thanks.
One solution is to generate token for each request for a video. That token would have its lifetime. Php script should be serving the content instead of giving direct access to resource to user. The script should check if the token is still active before serving the content.
It is up to you how to pass the token. The simplest way is to make it contained in uri.
No matter where you put your videos in your directory structure, you always send the data as a partial request. Once data is acquired by the user, it could be saved an reproduced.
There are techniques, however, to protect your video from direct download through curl, wget or other ways of download. And this is using a secure token and an expiration, passed as parameters. This way your video download window will be limited and generating the token manually would be pretty hard.
Chidiebere Onwunyirigbo, its a Great Question. One solution for your requirement is Steganography. It is the process of concealing your data (videos) behind other files (multimedia files like image, audio, video), in your case preferable would be Image Steganography. It is quite a old technology but new to many, you can get several ready tools/code for it on the internet which you can customize as per your need. From your side you have to provide the file that is already embedded inside the image for download. Only the tool coded for retrieval and rendering the hidden video can render your video. So, for this part all the users of your site have to first download this desktop application from your site for viewing the video. This will keep your videos safe on the users computer offline, because every user who takes the video will require the reverse steganography tool to be downloaded from your site. You can even embed secret info like users IP inside the Stego image along with the video and for each tool download, associate user computer's IP with the tool. If IP embedded inside Stego image matches with that of tool only then you allow to play else redirect application to get it registered. But the limitation would be that, the users will have to download your application and will be able to view videos only on your desktop application which will render the Steganographed video.
You cannot hide information on the user computer. Even if your process are running on a windows comp as SYSTEM user, a power user can take ownership of the files.
The only solution you have, are developing or using a known DRM system, for allowing only playing the video on a determined computer or another specifications (for example, if the program have the authentication token of some user).
At any case, you need to do two things for this:
- You need a custom application to play the video, if you want to check DRM.
- You need to recode / modify something on the video before download, for adding on them a code for allow only play on the destination computer or data used for authenticating DRM.
I am creating an API-centric web application using PHP. I have read a lot of articles on API-centric arhitecture and design, but I have a problem related to file uploads.
Suppose I have an image and I want to upload it to the API server. How should I upload that image and how then to receive the link to that image?
Here is how I want to create it now:
Select an image using <input type="file"> on client www.domain.com
Upload it to the www.domain.com using POST with multipart/form-data
Send this image with PUT/POST API call to the api.domain.com
api.domain.com will save this image to another server like static.domain.com and will store image's id in the database
Then, when I will need this image, I can use GET API call to the api.domain.com and I will receive image's url (something like static.domain.com/image.jpg)
Aditional questions:
Is this approach the right one or I am doing completely wrong?
Will I need an aditional server to store uploaded files if my application will be small, or I can store files right on the API server?
If I will store images on same server as API server, won't it be strange if image urls will look like api.domain.com/image.jpg?
P.S: We can skip a lot of API-related things as I need only an idea on how to deal with file uploads.
You haven't really said what kind of API that you are going to be implementing here, so I assume that it is just a restful API.
Is this approach the right one or I am doing completely wrong?
No, I wouldn't say you're doing it wrong. You would essentially send the file using POST.
Will I need an aditional server to store uploaded files if my application will be small, or I can store files right on the API server?
Yes, it will allow you to store this on the same server, I don't see why not. I doubt that you will use a lot of storage, if the application is small.
If I will store images on same server as API server, won't it be strange if image urls will look like api.domain.com/image.jpg?
The api.domain.com/image.jpg technically is just the URL that you connect to the API with and GET/POST data. It does not mean the file is going to be that URL. The API could return like:
{
type: "IMG",
id: "1",
url: "example.com/uploads/image.jpg"
}
I hope this this helps, even a little!
I am working on file sharing for objects stored on amazon S3.Now the path for the object stored on S3 is default like this https://s3.amazonaws.com/bucket_name/path_to_file/file_name.jpg/docx etc.Now I want to share these file URLs via email through my app.
Currently when I share I see the entire URL as is in the email.I want it to be sent in an encoded form so that its hard to guess the exact location of the file.
I am using PHP and I was planning to use base_64_encode/decode functions or md5 the URLs but not sure if thats the right way to go.
So,I am looking for some tool or API (by amazon ot 3rd party) that can do it for me.
I would also like to shorten the URLs while sharing.
Would like to seek advice and guidance from someone implemented something similar.
Not sure if it comes under URL-REWRITING but tagging it under it.
Thank you
You have two options to do this:
You can map your url and s3's url in your server, and give your url to user. When user make request to your url, redirect it to s3's. You can ref http://en.wikipedia.org/wiki/URL_redirection
You can call API provided by url redirect service provider, e.g. tiny.cc/api-docs
I need to know a method to upload a video to a VIMEO PRO account using a form and PHP (to get auth). Currently I can send a video directly to Vimeo, using the panel, as was to be expected. But I have some clients that want to upload your videos directly from my their control panel (created by me), outside of vimeo, and I have only a unique PRO account, and I can't share the account data.
Seems that I can do it, based on the page API https://developer.vimeo.com/apis/advanced/upload#post (Uploading via POST).
My doubts are:
Can I really do that, without pass to my clients the Vimeo PRO account data?
It's a secure method (considering that clients respect the agreement with Vimeo)?
I need to upload DIRECTLY to Vimeo, without pass to my server, because I'll have two works: one to upload to server, other to upload from server to vimeo.
Off-topic: I believe I will not have problems with Vimeo, since they are customers of one company, and the account belongs to the company, and the videos will be her responsibility.
How should work
User access my panel, with your credentials;
User access the video upload page;
Probably the server will contact Vimeo to get an uploader auth;
User will select your vimeo file and submit form;
System will receive the vimeo ID and everyone will be happy forever.
Thanks!
Edit: This feature is now supported by Vimeo's (in beta) API3. You can request access at https://vimeo.com/help/contact
The below information is still accurate in regards to the Advanced API
This feature is not reliably supported by the advanced api.
The primary issue is that with client side uploads, there is no way to tell the upload server what to do once the upload is complete. Additionally, there is no client side technique to find out whether the upload has completed
You might be able to cheat and have the user upload through an iframe, and have the primary page perform a verify chunks call every couple of seconds. I have not tried this, at the moment it is just a theory. If you attempt this hack, Vimeo would love to know more via their contact page https://vimeo.com/help/contact
The feature you are discussing is on the roadmap for the next version of the API, and an early imperfect version was available at their API Hackday. It might be a better idea to hold off a bit and wait for the official feature.
NOTE: This observation does NOT apply to server side uploads. Because the whole upload process is handled via code on the server, it is extremely easy to tell when an upload is complete.
Answering in 2016: Assuming you have already retrieved an access token from Vimeo (OAuth2) this is a good piece of code to help you create an upload form:
https://github.com/websemantics/vimeo-upload
This gives you the code for the form with a place to drag-drop your video file and calls the upload API:
If you're using WordPress, there is a plugin available that allows you to do just that
http://vimeography.com/add-ons/vimeography-upload/
Source: I made it :)
I must say this is the first time I ask anything here, and I'm not a developer, so please be patient with my lack of knownledge. This requirement is for a website I am creating with some friends, so it's not that I'm making money with this.
This is the problem: I want to implement some kind of restriction to downloads, very much in the same way Rapidshare or any other file sharing service does:
The user should be able to download only 1 file simultaneously
The user should wait before being able to download another file, let's say 2 hours.
However, I am not trying to create a file sharing website. I am going to upload all the files to Amazon S3, and the only thing I need is to be able to restrict the downloads. I will create the links to the files. I don't care if users are registered or not, they should be able to download anyway.
The website is built in Joomla!, which uses Apache + MySQL. The files would be located at Amazon's servers.
My question is the following. Is there any way to implement this in a not-so-extremely-complicated way? Do you know some script or web-service that could help me get this done?
I have looked around, but the only thing I've found are Payment gateways, and we don't plan to charge for downloads.
Any help will be much appreciated.
Thanks!
UPDATE: I solved this problem using this script: http://www.vibralogix.com/linklokurl/features.php
As far as I know, there is no way to check on the current status of a download from S3. Having said that, S3 really does have plenty of bandwidth available, so I wouldn't worry too much about overloading their servers :) Just last week, Amazon announced that S3 is now serving an average of 650,000 objects / second.
If you want to implement something like #Pushpesh's solution in PHP, one solution would be to use the Amazon SDK for PHP and do something like this:
<?php
#Generate presigned S3 URL to download S3 object from
# Include AWS SDK for PHP and create S3
require_once("./aws-sdk/sdk.class.php");
$s3 = new AmazonS3();
# Let S3 know which file we want to be downloading
$s3_bucket_name = "yours3bucketname";
$s3_object_path = "folder1/object1.zip";
$s3_url_lifetime = "10 minutes";
$filename = "download.zip";
#Check whether the user has already downloaded a file in last two hours
$user_can_download = true;
if($user_can_download) {
$s3_url = $s3->get_object_url($s3_bucket_name, $s3_object_path, $s3_url_lifetime, array('response' => array('content-type' => 'application/force-download', 'content-disposition' => 'attachment; filename={$filename}')));
header("Location: {$s3_url}");
}
else {
echo "Sorry, you need to wait a bit longer before you can download a file again...";
}
?>
This uses the get_object_url function, which generates pre-signed URLs that allow you to let others download files you've set to private in S3 without making these files publicly available.
As you can see, the link this generates will only be valid for 10 minutes, and it's a unique link. So you can safely let people download from this link without having to worry about people spreading the link: the link will have expired. The only way people can get a new, valid link is to go through your download script, which will refuse to generate a new link if the IP/user that is trying to initiate a download has already exceeded their usage limit. It's important that you set these files to private in S3, though: if you make them publicly available, this won't do much good. You probably also want to take a look at the docs for the S3 API that generates these pre-signed URLs.
Only 2 ways comes to my mind - you either copy a file with unique hash and let apache serve it.. then you don't have any control over when user actually ends his download (or starts). Useful for big files. Another way is to pass it through php. Still, you would need to kill download session in case user stops download.
If there is no plugin for that you won't be able to do it the easy way by adding a script or copy & paste "some" code.
So either hire somebody or you'll need to learn what you need to approach the task an your own, in other words learn how to program. Your question already contains the steps you need to implement: Record who is downloading what and when and keep track of the status of the download.
I have not tried to track a download status before but I'm not sure if it is possible to get the status somehow directly from the server that is sending the file. But you can get it from the client: Download Status with PHP and JavaScript
I'm further not sure if this will work properly in your scenario because the file will come from S3.
S3 itself has a so called feature "query string protection":
With Query string authentication, you have the ability to share Amazon
S3 objects through URLs that are valid for a predefined expiration
time.
So you need to lookup the S3 API to figure out how to implement this.
What you could try is to send an ajax request to your server when the user clicked the download link, send the amazon s3 link your server generated back as a response and have the client side javascript somehow trigger that file download then.
You can monitor user downloads by their ip address, store it in a database along with the time at which the user downloaded and the session id (with hashes of course) and check this before each download request. If the current time is less than 2 hours within the same session, block requests, else give them the download.
Table Structure:
Id Ip_Addr Session_Hash Timestamp
1 10.123.13.67 sdhiehh_09# 1978478656
2 78.86.56.11 mkdhfBH&^# 1282973867
3 54.112.192.10 _)*knbh 1445465565
This is a very basic implementation. I'm sure more robust methods exist. Hope this helps.