[support] File system out of root

[Anton]

On 20/03/2008, Xavier Bestel <xavier.bestel at free.fr> wrote:
> Just as a datapoint, I have been very disappointed with drupal's
>  performance until I got rid of that private filesystem thing.
>  Filtered access through drupal (5.x) and direct access (i.e. just
>  apache) are like day and night in terms of speed. Previously I could
>  watch my acidfree galleries display one thumbnail per second, now the
>  whole page displays instantly.

Yeah it isn't a good solution for popular pages that require lots of
images downloaded to display - as each image is a whole new Drupal
bootstrap. Private downloads turns a gallery listing that was 1 Drupal
bootstrap and 20 Apache downloads into 21 Drupal bootstraps which is a
whole lot more server load (up to 20x more).

But it is good for standalone downloads (eg not on-page images) that
don't get downloaded that often but still need protection. It doesn't
add much extra load in that scenario.

>
>  I understand the /system/ dir is needed for access control, but the way
>  it's implemented looks suboptimal to me. Not that I have a better idea
>  right now.

There isn't much that can be done about that. If Drupal needs to
decide whether or not to allow access to the file, Drupal needs to be
bootstrapped.

One (security through obscurity) possibility that might work for some
sites: Your public downloads could be protected by Apache checking for
"authorised" referer headers. If the referer header contains url(s)
that only authorised Drupal uses can get to, you could assume they
were authorised to download the files.

An unauthorised visitor would have to forge those headers to get
around that. Although it is only "Security through obscurity" that
should be enough of a barrier for most sites/webmasters to be happy
with.

-- 
Cheers
Anton