Serving embedded video files with X-Accel-Redirect to IE 6 browser

Cliff Wells cliff at
Thu Apr 17 02:11:10 MSD 2008

On Wed, 2008-04-16 at 17:55 +0200, Thomas wrote:
> Actually there is nothing fancy in Nginx conf files, simply declare
> the folder that holds the protected content as "internal" so users
> can't directly access it:
> location /files {
>      root /var/www/myapp/files;
>      internal;
> }
> The real magic happens in your app:
> <?php
> $path = $_GET["path"];
> header("Content-Type: video/quicktime");
> header("X-Accel-Redirect: /files/" . $path);
> ?>

It probably doesn't matter much for this particular example (since the
request will be punted to Nginx which will presumably forbid access
outside "root"), but in general you should sanitize anything to be used
as part of a filesystem path:

$path = realpath($_GET["path"]);

This is to prevent requests like: 



More information about the nginx mailing list