Serving protected static media from django/nginx + streaming from a 3rd party app

We want to serve protected media from django, using something similar开发者_如何学JAVA to the django nginx x-accel-redirect setup.

The only problem is that the static files are not located on the public facing django/nginx machine, but in a internal machine that streams the file via http/rest api.

Currently we download the file on the nginx machine and serve it via nginx x-accel-redirect, but we want to optimize this part and looking for options. x-accel-redirect has known problems with files that are streamed from another source.

We are contemplating using django itself as a quasi buffer, but are open to other options as integrating something like whizzer/twisted, or maybe even having another service altogether.

What would be the best option for serving those static files and preserving security?

---

Use: http://www.allbuttonspressed.com/projects/django-filetransfers

Make your own Django storage backend for the internal machine's http/rest api, that returns a File object, and pass that object to filetransfer's server_file function.

That's how I do it in Mayan EDMS https://github.com/rosarior/mayan/blob/master/apps/documents/views.py#L300

django-storages' backends could help you get started.

https://bitbucket.org/david/django-storages/wiki/Home

Update:

Django_resto appears to have an http based storage class

https://github.com/aaugustin/django-resto/blob/master/django_resto/storage.py#L62

---

I had success doing something similar using django-http-proxy. This assumes that the image server is at least as reliable as the django server.

Then in my urls, I simply mapped the url to the http proxy view, something like:

(r'^protected/.*$', 'httpproxy.views.proxy'),

Then configured PROXY_FORMAT accordingly.

---

Implement a simple one-shot signature system in the media machine, using any very thin (django is OK, as it does not need to get to the database) code layer, and x-accel-redirect in nginx.

In the auth machines, generate the correct signature only when the user is allowed to get the resource, and return a 302 to the signed media.

The signature could be time-based, expiring in a fraction of a second, so a sniffer can't use the URL again.

---

You could use lighttpd to handle the streaming. It has a nice module to protect resources with signatures: http://redmine.lighttpd.net/wiki/1/Docs:ModSecDownload

So I'm thinking you could have nginx just proxy to the streaming server (that's lighttpd).

It's pretty easy to cook up the signature, here's a python example: init.py#cl-27">https://bitbucket.org/ionelmc/django-secdownload-storage/src/be9b18701015/secdownload_storage/init.py#cl-27