SIMPLEST way to set up password protection for a static site?

Question

I have a static site.

I would like the simplest approach to password protecting a directory, with a basic admin UI for adding/removing users. I will have so few users that I don't care about performance.

I don't care if it's PHP or Django or whatever, I just want a complete software package.

• Apache basic auth isn't good, because you can't log out. Nor is there a UI for adding users.

• I tried throwing everything behind Django auth and serving the files through Django. However, Chrome treats all my text/css headers as text/plain, so I don't get any stylesheets showing.

• I can't use mod_xsendfile on my server because I can't reconfigure Apache to add new modules. I think this approach is overkill anyway.

Is there a code package that implements authentication with basic admin for a static site?

Answer 1

I use nginx and this is usually my solution. Maybe something similar to this is available for Apache. Don't know.

In nginx, proxy can return a response with header X-Accel-Redirect with the location to where nginx is suppose to redirect. For example with the following nginx config:

server {
   ...
   location / {
       proxy_pass: ...;
   }
   location /media/secure/ {
       internal;
       alias ...;
   }
}

if the proxy pass will return:

X-Accel-Redirect: /media/secure/somefile;

Then nginx will redirect the request from the proxy to the /media/secure/ location, hence serving the static file.

So I usually authenticate a user in Django and then just return that header with the location to the file which then nginx serves. This is nice because then Django does not have to serve static file, users can't just access that secure location (because of the internal directive) and also because if all mime types are configured in nginx, then all the files are served properly...

Again, this is for nginx, not for Apache, but maybe something similar is out there for Apache.

EDIT

Here is a simple Django code snippet assuming you are using same settings as above for nginx. This view serves secure files if its path is provided in the GET:

@login_required()
def serve_secure_static(request, file_root=os.path.join(settings.MEDIA_ROOT, 'secure')):
    if not request.method == 'GET':
        return HttpResponseBadRequest('Only GET allowed')

    if not 'file' in request.GET:
        return HttpResponseBadRequest('File query must be provided')

    # make sire loggen user is allowed to see the file
    # maybe check some custom permission

    file_path = request.GET['file']

    # if in DEBUG, make Django serve static file
    # because nginx might not be configured
    if settings.DEBUG:
        abs_file_path = os.path.join(file_root, file_path)
        file_data = open(abs_file_path, 'rb').read()
        return HttpResponse(file_data, mimetype=mimetypes.guess_type(file_path))

    # else make nginx serve static file
    else:
        redirect_url = '/%s' % file_path
        response = HttpResponse()
        response['X-Accel-Redirect'] = redirect_url
        return response

So then if you add this view to urlconfig:

url(r'^serve_secure_static/$', 'server_secure_static')

you can request secure files by:

http://domain.com/serve_secure_static/?file=path/to/file/here/relative/to/media/secure.css

which will serve the file from

/media/secure/path/to/file/here/relative/to/media/secure.css