.. You may want to use the usual include line. Uncomment and adjust the path. .. include:: ../Includes.txt .. role:: underline ================== EXT: naw\_securedl ================== :Author: Kasper Skårhøj :Created: 2002-11-01T00:32:00 :Changed by: Dietrich Heise :Changed: 2013-10-23T09:50:48.647953183 :Author: Dietrich Heise :Email: typo3-ext(at)bitmotion.de :Info 3: :Info 4: .. _EXT-naw-securedl: EXT: naw\_securedl ================== Extension Key: **naw\_securedl** Copyright 2013, Dietrich Heise, This document is published under the Open Content License available from http://www.opencontent.org/opl.shtml The content of this document is related to TYPO3 \- a GNU/GPL CMS/Framework available from www.typo3.com .. _Table-of-Contents: Table of Contents ----------------- **EXT: naw\_securedl 1** **Introduction 1** What does it do? 1 Screenshots 1 **Administration 2** **Details on configuration evaluation 3** **Backend Module 3** **Known Limitations / ToDo 3** .. _Introduction: Introduction ------------ .. _What-does-it-do: What does it do? ^^^^^^^^^^^^^^^^ In TYPO3, assets like PDFs, TGZs or JPGs etc. are normally just referenced by a URL e.g. to “fileadmin/...”. The file itself is delivered directly by the web server, and is therefore not part of the TYPO3 access control scheme – files remain unprotected, since URLs can be re-used, emailed, Google-included or even guessed. The “naw Secure Download” extension (“naw\_securedl”) changes this behavior: Files will now be accessed through a eID Script script that honors TYPO3 access rights. The converted URL's will then look like this: index.php?eID=tx\_nawsecuredl&u=1&file=fileadmin/secure/test.jpg&hash= 306a7839647a68caf24b50870a59d3fc This works regardless of where the files come from, is not limited to special plugins etc. Since in most cases you will not want to protect everything (which means that everything undergoes rather performance-consuming access right checking), naw Secure Download is highly configurable. You may choose: - what directories to protect (e.g. you can include typo3temp or not,) - what file types to protect (do you want to protect JPGs or not? etc.) - what domains are considered local As a complementary measure, you will of course need to configure your web server not to deliver these things directly (e.g. using .htaccess settings). .. _Screenshots: Screenshots ^^^^^^^^^^^ |img-1| *Picture 1 Secured File Download Example* .. _Administration: Administration -------------- All configuration of this extension is made in the Extension Manager. .. ### BEGIN~OF~TABLE ### .. _securedDirs: securedDirs ^^^^^^^^^^^ .. container:: table-row Configuration option securedDirs Description List of directories of your TYPO3 Server in that files should be secured, separated by \| For exclude a sub-directory in a directory use (?!path/to/sub)path .. _filetype: filetype ^^^^^^^^ .. container:: table-row Configuration option filetype Description List of file types that should be secured, separated by \| .. _forcedownload: forcedownload ^^^^^^^^^^^^^ .. container:: table-row Configuration option forcedownload Description If this is checked some filetypes are forced to be downloaded in contrast of beeing embedded in the browser window .. _forcedownloadtype: forcedownloadtype ^^^^^^^^^^^^^^^^^ .. container:: table-row Configuration option forcedownloadtype Description List of filetypes that should be forced to be downloaded (see above) .. _domain: domain ^^^^^^ .. container:: table-row Configuration option domain Description This is only required for absolute filelinks to your local server, e.g. “ `http://my.server.com/fileadmin/image.jpg `_ ” (instead of the normal internal link that reads “ `fileadmin/image.jpg `_ ”.) In other words: In most cases, this value can be left empty. .. _additionalMimeTypes: additionalMimeTypes ^^^^^^^^^^^^^^^^^^^ .. container:: table-row Configuration option additionalMimeTypes Description Comma separated list of additional MIME types (file extension / mime type pairs, in which file extension and MIME type is separated by a pipe symbol). Can be used to override existing MIME type settings of the extension as well. .. _cachetimeadd: cachetimeadd ^^^^^^^^^^^^ .. container:: table-row Configuration option cachetimeadd Description The time that is added to the default or page cache, that the link to the secured element is valid. .. _debug-level: debug level ^^^^^^^^^^^ .. container:: table-row Configuration option debug level Description For developing only .. _log: log ^^^ .. container:: table-row Configuration option log Description Each file access will be logged to database, this could be a performance issue, if you have a high traffic site. If you decide to turn it on, a backend module will be activated to see the traffic caused by user/ file .. _outputFunction: outputFunction ^^^^^^^^^^^^^^ .. container:: table-row Configuration option outputFunction Description Due to possible restrictions in php and php settings, you probably need to adjust this value. By default “readfile” is used to deliver the file. If this function is disabled in your php settings, you can try fpasstrugh. If you hav problems with php memory\_limit and big files to download, you need to set this to readfile\_chunked, which delivers the files in small portions. If you activate the logging, only the transmitted portions are stored in the database table. Again, make sure you have no performance problem here, because multiple SQL- queries are fired to track the transmitted bytes. .. _outputChunkSize: outputChunkSize ^^^^^^^^^^^^^^^ .. container:: table-row Configuration option outputChunkSize Description Only applicable if you use readfile\_chunked (see outputFunction). Specify the number of bytes, served as one chunk when delivering the file. Choosing this value too low is a performance killer. .. _linkFormat: linkFormat ^^^^^^^^^^ .. container:: table-row Configuration option linkFormat Description The Format for the link generated by naw\_securedl. You can change this if you apply appropriate mod\_rewrite rules in your .htaccess file. Example: linkFormat: securedl/###FEUSER###/###TIMEOUT###/###HASH###/###FILE### Put the following in your .htaccess (one line) RewriteRule ^securedl/([\d]+)/([\d]+)/([0123456789abcdef]+)/([^&]+)$ index.php?eID=tx\_nawsecuredl&u=$1&t=$2&hash=$3&file=$4 [nc,L] .. ###### END~OF~TABLE ###### You also need to secure all the directories and filetypes by your server configuration. This can be done with .htaccess files. Some example .htaccess files you find in the /res folder. Note: This extension cannot secure links to files that you include in your CSS file. For example you can secure /fileadmin with the default .htaccess\_deny file by putting the file in /fileadmin. You can allow /fileadmin/templates/ with the default .htaccess\_allow file by putting this file to /fileadmin/template/ .. _Details-on-configuration-evaluation: Details on configuration evaluation ----------------------------------- The first three config fields (securedDirs, filetype and domain) allow regular expressions, but with limitations because some characters (slash, backslash, dot, blank) are automatically quoted for your convenience. For filetype (meaning actually the file extension), all upper/lowercase combinations are automatically included (e.g. “gif” would also cover “giF”.) The \| stands for “OR” **.** :underline:`Regex examples for securedDirs:` If for example you need to secure fileadmin and typo3temp, but not uploads: fileadmin\|typo3temp To secure everything under fileadmin/secure or typo3temp, you need to write fileadmin/secure\|typo3temp You also can group some elements with regular expression, but you should be carefull with grouping because the complex regex in the extension does not work if some other matches were output by the regex. For grouping “ **( )** “ is used, but in our case you need to exclude the result of this **( )** . This can be done with **(?: )** For example we need to find all under fileadmin/secure1 fileadmin/secure2 fileadmin/secure3 or typo3temp fileadmin/secure(?:1\|2\|3)\|typo3temp for the same need you can use also **[ ]** but all chars between **[ ]** are allowed here fileadmin/secure[123]\|typo3temp If you need to exclude some subfolders in a secured directory you can do this by (?! ) For example like (?!fileadmin/unsecured)fileadmin More information can be found here: `http://www.regular- expressions.info `_ .. _Backend-Module: Backend Module -------------- Since version 1.0.0 this extensions contains a backend module. With this module you can show the summerized download traffic by a given timeframe for all users or by a frontend user. Since version 1.2.0 you will see all files and filesizes downloaded by specified users. .. _Known-Limitations-ToDo: Known Limitations / ToDo ------------------------ - get a hook for showpic.php – currently, there is none (thus xclassing necessary) - support for links from one PDF to another - Allow optional advanced mode for full Regex support - Images in Direct Mail newsletters, doesn't work correct with secure\_dl :( EXT: naw\_securedl - 4 |img-2| .. ######CUTTER_MARK_IMAGES###### .. |img-1| image:: img-1.png .. :align: left .. :border: 1 .. :height: 300 .. :id: Grafik1 .. :name: Grafik1 .. :width: 665 .. |img-2| image:: img-2.png .. :align: left .. :border: 0 .. :height: 34 .. :id: Grafik3 .. :name: Grafik3 .. :width: 123