I am currently serving private images using X-Accel.
The images folder is behind the root, and I have the following block inside the nginx config:
location /private_files {
internal;
root /var/www/website/storage;
}
So the images folder is /var/www/website/storage/private_files and a full image path would be for example /var/www/website/storage/private_files/image.jpg
In order to use the images with an <img> tag I redirect the src url to the backend to send the X-Accel-Redirect header: <img src="/get-image/image.jpg">
Then the backend would take care of it whenever a URL of /get-image/ is requested (PHP):
public function get_image() {
$real_path = "/private_files/image.jpg";
return response('')->header('X-Accel-Redirect', $real_path);
}
So now anyone can copy the URL /get-image/image.jpg and access that image even though it's supposed to be private.
Is there anyway to do something with nginx against this? Or I will have to use the backend authentication for that?
