Welcome Guest, Not a member yet? Register   Sign In
[Resolved] Securely Access files from other server
#1

[eluser]madeks[/eluser]
Hi all,

I need some help or idea to archive this work.

The situation is this.
I have 2 servers, one is a server to run the website and one for storing a file.
This main server will need to return a digital file from another server.
The file from another server will be returned to the user by the header as a bytes transfer, not via http.

The file should not accessible via http. I mean the real file cannot access by http but the returned file will be via http.

For example, user login to the website and click to download file, the website return a file to save.


I have some idea from the top of my head.
1. I put one script on the new server to check and run all secure logic and return the correct file.
The problem is I think this file cannot read the session from the main server?
So it will need another login to get user information. It is preferred.

2. Some server configuration that allow the script on the main server to access a file from another server? Not sure this is possible?

3. Make the file accessible via internet some how but only allow 1 IP (the main server ip) to access it. Not sure maybe with HTACCESS?


Those 3 options still not look good to me.

I think there should be a better way to do it.
Anyone had been done this kind of application before or any idea about it?


Thanks in advance.
#2

[eluser]TheFuzzy0ne[/eluser]
Can you set up some kind of authentication system, where server 1 can activate a download for a specific IP/username on server 2, so your users get the download directly from server 2?
#3

[eluser]madeks[/eluser]
Yes, That is close to what I say in option 1.

Is it ok to send the information like username and password over http post?

Do I need a https?

I'm not so sure about https just know that it will do some encryption.
#4

[eluser]TheFuzzy0ne[/eluser]
So long as the data you're sending is not of a sensitive nature, there shouldn't be a problem. You could even encrypt the data with the encrypt library before sending, and just decrypt it at the other end. Obviously, you'd need to have the same encryption key on both machines, but if the data intercepted by anyone with malicious intent, it would just be a load of worthless gobbledy-gook which would take several lifetimes to decrypt.
#5

[eluser]madeks[/eluser]
You make a perfect sense on this. How could I forget PHP encryption.

I will encrypt all information and sending it via http post method and decrypt it in another server.

On another server I will check the IP first to only allow the IP from my web server and then decrypt the post text for authenticate.


Thanks for the help TheFuzzy0ne.
Thanks to CI too.
#6

[eluser]TheFuzzy0ne[/eluser]
Please be advised, however, that IP addresses can be spoofed, so I'd suggest that you only offer access via a certain IP for a limited time, before making the session expire. Also, if both servers are on the same domain, it's possible to share a cookie, by setting the cookie domain as .yourdomain.tld (not the leading .). You should then be able to access the same cookie from both server.

Come to think about it, that's what you were asking for originally, but it just went way over my head. If you encrypt your cookies, you should be able to set all of the necessary data in the cookie on server 1 as flashdata, and server 2 can read that flashdata before it expires.
#7

[eluser]madeks[/eluser]
TheFuzzyOne,

Thanks for you last advice.

I think this is more complex than I thought.

First I try to use the cURL to connect to the script from the file server and make the script to return the file by setting it header.

The caller script that get the result just send it to the user with the header setting.

This seems to work with small file because I realized that this way what is happen is the web server load the file and then send it to the user. It is not practical and impossible for a huge file (more than 1GB).

You last suggest have some issue with me because it is a different server and domain.
I don't think it can share the same cookie?

Anyway I'm trying this. I use the cURL to call the scirpt on the file server to authenticate and let it make the cookie for there own.

BUT... this is not working. The script on file server cannot create a cookie. May be it is created a cookie but store on the web server?

I feel like fall in to a dark hole again.
What I have right now is put a trigger like hidden iframe at some stage of the user and send the request to the file server script to authenticate and build the cookie. I quite sure this way will work but this create more problem because it affect some business logic of the website and may not work well.


What do you think?
#8

[eluser]TheFuzzy0ne[/eluser]
I was trying to suggest that your users download the file straight from server 2, as transferring the file from one server to another could cause a slow down, especially if they aren't on the same local network. The way I had in in my mind, would work something like this:

Do whatever authentication you need to on server 1
Server 1 sends a request to server 2 containing the a key (an MD5 hash of the date with the microtime should be fine).
Server 1 redirects over to server 2, using the key in the URL
Server 2 validates the key against the database, and if it's valid, initiates the download, and removes the entry from the database (before the download starts). I'd also suggest a 30-60 second expiration on the keys, so if the download is not started, it's removed from the database.

Does that help you at all?




Theme © iAndrew 2016 - Forum software by © MyBB