Single Security Script v.s. Performance

sf_dave

All,

I have written a fairly complex site for my company but have always doubted how I handle security. For out current load it is ok, but with our public product launch coming this March, I fear the current architecture I have implemented will implode with a heavy load. I’ll explain the implementation in depth to clarify what’s going on, and would appreciate any comments on how to improve performance or the architecture overall.

We run a typical LAMP server, Apache version 1.3x and PHP 4.x. To create a single entry point to our website I have the following rewrite conditions enabled in apache:

RewriteRule \.html security.php
RewriteRule \.htm security.php
RewriteRule \.php security.php
RewriteRule \.exe security.php
RewriteRule \.zip security.php
RewriteRule \.pdf security.php
RewriteRule /$ security.php
RewriteRule screenshots/ security.php
RewriteRule doc/ security.php

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* security.php

This essentially sends every text and certain bin file (exe’s etc...) requests through our security.php script which analyzes the request URL and determines if the user had rights to access what they want or not.

For successful text based files the script simply includes the file:
include($_SERVER[‘DOCUMENT_ROOT’].$requested_url);
since security.php is in the root of our web server all lookups succeed.

For successful bin files, however, the process is a little different, we have to dump the file ourselves to the client, we have chosen 8k chunks to use but the performance is still noticeably slower than just linking to a bin file straight form apache. Our bin code is as follows:

if ($bin)
{
	$file = fopen($_SERVER['DOCUMENT_ROOT'].$requested_url, "r");
	while($pump = fread($file, 8192))
	{
		ob_implicit_flush();
		print($pump);
	}
	exit();
}

Is there a more efficient way to do this? This is how all jpg, gif, exe, zip, bin files in general are delivered to the client browser, so it is important that this code be fairly fast.

I created this more out of ignorance than experience, so I would appreciate some experts to review this practice and possibly offer suggestions on how to better handle security. One thing that is VERY nice about this model is that all security related code is in one place, and is very flexible, however I fear that with every request being run through security.php that it will crawl to a halt with a heavy load.

Any and all comments are welcome, and thank you for reading this lengthy post 🙂
-sf_dave

justsomeone

You may be re-inventing a number of wheels by doing this, but at least it means you know your code inside out.

It seems like a huge waste of resources to use a PHP script to slice and deliver binary files. It would be a much better option to store these binary files outside of the web folder and, when you want to send one to a client, send the appropiate HTTP MIME headers and just passthru the file.

MarkR

Your script is probably not sending the appropriate headers, such as Last-Modified, Content-Length, Etag and respecting headers such as If-Modified-Since.

Apache will of course do all these things and more such as:
- Sending the content-length header to allow the browser to know how big the file is
- Sending Etag and Last-Modified so that caches can behave appropriately
- Respecting If-Modified-Since and Range requests - which allows the client to download the file only if it's changed, or download part of a file (to resume a transfer)

Mark

sf_dave

Thanks all who replied!

I guess I have two responses, one for each of you 🙂

justsomeone,
Your suggestion sounds very interesting, could you elaborate on what you mean by

It would be a much better option to store these binary files outside of the web folder and, when you want to send one to a client, send the appropriate HTTP MIME headers and just pass-through the file.

It is definitely true that apache delivers bin files faster than that php script, so i would be very interested in actually letting apache deliver the content after I validate that the person can in fact download what they are trying to.

Mark,
I believe I am actually sending all appropriate headers to the client. Before that code that starts dumping the bin data to the client I have a switch statement that sets a variable, $ctype, based on the extension of the requested file, so it if is a jpeg you can assume $ctype is "image/jpeg", .exe sets $ctype to "application/executable", etc...., also if it is a download (exe, zip, tar) as opposed to an image file I set the variable $attach to true. So the following code is how i prepare the client for the file it is about to receive:

if ($attach)
{
	session_write_close();

if (strpos($_SERVER['HTTP_USER_AGENT'], "MSIE"))
	 $filename = preg_replace('/\./', '%2e', $filename, substr_count($filename, '.') - 1);

header("Content-Disposition: attachment; filename=\"$filename\"");
header("Pragma: no-cache");
header("Content-length:".(string)(filesize($_SERVER['DOCUMENT_ROOT'].$uri)));
header("Accept-Ranges: none");

sleep(1);
}
else
{
	// Binary files like images
	header("Cache-Control: private");
}

header("Content-type: $ctype");

if ($bin) ..... [See first post]

So the browsers do know the size of the file they are receiving due to the Content-length being set, and I set the Pragma: no-cache because I don't want one of our executables (our products) to be sitting in a cache somewhere on the internet. I'm sure this isn't ALL the appropriate information I need to send but when someone downloads a file it feels like apache was sending the file itself.

Other than that, what about having security.php run before every text file requested? Additionally is simply including the file via include() the best way to load the requested file (if they are allowed to visit that page)? Will this practice fall on its face under heavy load?

Thanks again everyone for your suggestions
-Dave

sf_dave

Anyone?

Sorry for the bump but it's important for me to figure out the best practice for this type of activity. Our site is going to a tremendous amount of traffic and a heavy amount of downloads so any help at all would be appreciated.

Thanks again everyone
-Dave

justsomeone

Hi Dave,

Sorry for the late response.

Here's a simplified version of what I was suggesting...

<?php

$filename = "/var/secure/myfile.jpg";
/*
 I'm assuming you'll need some dynamic way to build up the filename
but that's not the tricky part, so I'm just hardcoding a filename :)
*/

// open the file in a binary mode
$fp = fopen($filename, 'rb');

// send the right headers
header("Content-Type: image/png");
header("Content-Length: " . filesize($filename));

// dump the picture and stop the script
fpassthru($fp);
exit;


?>

But reading through the user comments on the manual, it becomes apparent that this method is much too slow for what you need. The same seems to apply to using readfile() instead of fpassthru();

The following method is quoted there and looks very similar to what you've already done...

<?php
session_start();

function send_file($name) {
   ob_end_clean();
   $path = "/directory/path/".$name;
   if (!is_file($path) or connection_status()!=0) return(FALSE);
   header("Cache-Control: no-store, no-cache, must-revalidate");
   header("Cache-Control: post-check=0, pre-check=0", false);
   header("Pragma: no-cache");
   header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
   header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
   header("Content-Type: application/octet-stream");
   header("Content-Length: ".(string)(filesize($path)));
   header("Content-Disposition: inline; filename=$name");
   header("Content-Transfer-Encoding: binary\n");
   if ($file = fopen($path, 'rb')) {
       while(!feof($file) and (connection_status()==0)) {
           print(fread($file, 1024*8));
           flush();
       }
       fclose($file);
   }
   return((connection_status()==0) and !connection_aborted());
}


//Validate the user
if($_SESSION[login] == 1){

   //Close the session to allow for header() to be sent
   session_write_close();

   if(!send_file("testfile.zip")) {
       die ("file transfer failed");
   } else {
       //Log the download
   }
}else{
   echo "Not logged in";
}

?>

So (ahem) I have to withdraw my suggestion that mine would be a much better suggestion.

Sorry!