Serving embedded video files with X-Accel-Redirect to IE 6 browser

Cliff Wells cliff at develix.com
Thu Apr 17 02:11:10 MSD 2008


On Wed, 2008-04-16 at 17:55 +0200, Thomas wrote:
> Actually there is nothing fancy in Nginx conf files, simply declare
> the folder that holds the protected content as "internal" so users
> can't directly access it:
> 
> location /files {
>      root /var/www/myapp/files;
>      internal;
> }
> 
> 
> The real magic happens in your app:
> 
> <?php
> $path = $_GET["path"];
> header("Content-Type: video/quicktime");
> header("X-Accel-Redirect: /files/" . $path);
> ?>

It probably doesn't matter much for this particular example (since the
request will be punted to Nginx which will presumably forbid access
outside "root"), but in general you should sanitize anything to be used
as part of a filesystem path:

$path = realpath($_GET["path"]);

This is to prevent requests like: 

"http://mysite.com/downloads.php?path=../../../../etc/passwd".


Regards,
Cliff







More information about the nginx mailing list