In Drupal documentation is example for use private path like ../private (https://drupal.org/documentation/modules/file) but this type of private path generate unusable configuration for Nginx. I modify code for check type of private path and generate correct configuration.
For Xsendfile (for Apache) in latest version there is no directive XSendFileAllowAbove, for now there is XSendFilePath instead. I modify code for creating example configuration for this too.
For Xsendfile - i test xsendfile_file_transfer() function, but this not work for me. If i use full (real) path for X-sendfile header, files are transfered succesfully.
Comment | File | Size | Author |
---|---|---|---|
#4 | xsendfile-private_outside_docroot-2008728-4.patch | 5.56 KB | thrnio |
#1 | correct-nginx-and-xsendfile-config-2008728.patch | 5.04 KB | havran |
Comments
Comment #1
havran CreditAttribution: havran commentedPatch attached.
Comment #2
imadalin CreditAttribution: imadalin commentedI get this one too in error log, there is no XSendFileAllowAbove in mod_xsendfile module
Comment #3
damien_vancouver CreditAttribution: damien_vancouver commented@havran: Thanks for your patch. I will try and get it tested and committed soon.
@imadalin: Your problem is that you need to use XSendFilePath instead of XSendFileAllowAbove.
Here is the snippet I put in my Apache virtualhost files for XSendfile. Lines starting with # are comments and ignored by Apache. You will want to adjust the XSendFilePath to match the path to your private files directory.
If there is a problem with the path, the Apache error log will print out the path that it was trying to use. You can compare it to what's in your Apache virtualhost to diagnose a problem. It must match the real filesystem path (not a symbolic linked path) exactly.
Comment #4
thrnio CreditAttribution: thrnio commentedFor the status report, xsendfile tests to see if the private directory is publicly accessible. When the private files directory is outside the docroot, xsendfile will request a URI like
http://example.com/../private-files
. If Apache returns a 400 Bad Request code when given a URI with /../ in it, then the status report says that the private files directory is publicly accessible.Updating patch to check for any 4xx status code instead of 404 explicitly.