Re: [mirrorbrain] Authenticating downloads?

From: Peter Pml <peter_at_poeml.de>
Date: Wed, 3 Nov 2010 10:47:08 +0100
Hi Oliver,

thank you for your interest, and welcome.

Am 03.11.2010 um 08:09 schrieb Oliver Beattie:
> We am considering implementing MirrorBrain for a download site of ours
> that has outgrown its current solution, but I need to pick someone's
> brain to find out if it's possible to do what we need. Basically, all
> our downloads have to be authenticated. The way we would like to do
> this is with Basic authentication (as is the current implementation)
> on the MB server, and then to generate signed one-time URLs to each of
> the mirrors (this would likely have a combination of an expiration
> timestamp and a signature, signed with a private key).

> I'm wondering whether this is possible with MirrorBrain? It's fine if
> MB has to redirect to the same machine to a different path to generate
> the new outgoing, signed URL, but it's not clear from the docs whether
> this is feasible.

Does this mean that you basically already have a file serving setup with Basic Auth and with temporarily valid links, and you would now like to know if MirrorBrain can be integrated into that, for load balancing?

How are the temp links generated - I would assume via a database call, e.g. by calling a further script by redirecting to a different path locally?

The temporary links which are generated valid would be valid links on the mirrors, I guess?


As the first thing, Basic Auth shouldn't pose a problem, although I haven't tested MirrorBrain in conjunction with it. I know that mod_mirrorbrain has a simple check for authentication to not accidentally give access to protected files, and I suspect that this check is not smart enough to check whether a request is authenticated or not. Having said that, I'd be happy to fix this. That should not be difficult.

Regarding the temporary links, I see the following possibilities:

1)
It would be easily possible to have MB redirect to a local path instead of directly to a mirror. This would require either a small code change in mod_mirrorbrain, which I would be happy to implement for you, or to help you with. (A simple RewriteRule is not sufficient, because mod_rewrite runs before the content handler of mod_mirrorbrain.) A custom Apache module that hooks in later (or mod_python/mod_perl script) could do this as well. (Maybe also a PHP script via mod_php, but I'm not sure if mod_php allows scripts to run at an arbitrary phase of the request processing.)

2)
mod_mirrorbrain (the Apache module that implements the mirror selection, mirrorlist generator and redirection) could be extended by a mode that does all the work of mirror selection, but doesn't return a redirect in the end. The selected mirror (and country data) is already saved in the Apache-internal environment before the redirect happens, so this data is accessible to modules/scripts running later. If the redirect is not done (which could easily be made configurable to switch it off), a module/script running later could do something else with this data. Again, this would require a change to mod_mirrorbrain, but trivial enough and also useful for other scenarios I guess.

3)
A third way (or maybe hack) that I could think of would be to change the redirect (as you suggest) to prepend a different hostname and path to the URL, in order to redirect to a different path on the same machine, which takes care of the rest. Again, a simple change that would be easy to implement. If the redirect is not an external one (going back and forth between the client and server) but an internal redirect, maybe certain data (username or some cookies) could be passed as well, without them becoming visible to the outside. Hard to say if this would be useful for you without knowing details.

4)
A fourth way would not require any changes at all, and it would seem easy to set up and integrate with: You could run MirrorBrain as a backend service that is accessed by a frontend server. The frontend could handle the Basic Auth, and send a request to the backend running MirrorBrain, using the path of the requested file, and pass the original client IP in a HTTP header. The client IP is then seen by mod_geoip, and also mod_asn if you use that optional module, and mod_mirrorbrain can do the mirror selection, without needing to be aware of authentication or temporary link generation. mod_mirrorbrain can return the selected mirror either within a HTTP header (Location header and X-MirrorBrain-Mirror header). It can also return comprehensive data in form of a Metalink (which is XML), which includes hashes and a randomized list of mirrors sorted by priority for the client. The frontend could easily use this information to add the temporary link path elements, and reply to the client with the final redirect.

Please let me know if this info helps you.
Peter
_______________________________________________
mirrorbrain mailing list
Archive: http://mirrorbrain.org/archive/mirrorbrain/

Note: To remove yourself from this mailing list, send a mail with the content
 	unsubscribe
to the address mirrorbrain-request_at_mirrorbrain.org
Received on Wed Nov 03 2010 - 09:47:26 GMT

This archive was generated by hypermail 2.3.0 : Wed Nov 03 2010 - 11:32:08 GMT