I'm writing a PHP application where users can download some files. Not all files can be downloaded by all users and some complicated rights-checking is going on behind the scenes.
Because of this rights-checking I don't want to expose the url where the file is actually located, as I want to force the user to always use the endpoint where his credentials are verified.
In my current implementation this is all written using PHP (fread, etc). In order to minimize memory consumption this is implemented as a stream, such that PHP mostly acts as a proxy.
But I would like to only use PHP for the authentication, and then use Apache2 for the actual hosting. Looking around for options it seemed X-Sendfile would be an ideal fit.
The only issue in using X-Sendfile is that it only works for local files, and my files are on a remote storage server (not my webserver).
So essentially I have a direct link to my storage server (which I want to hide):
https://storage.example.com/the-pet-goat.pdf
And the public link the user interacts with:
https://www.example.com/randomized-id/download
and I would like that when the user goes to https://www.example.com/randomized-id/download its credentials are checked and if successful he should be (invisibly) redirected to the file on the storage server.
Is there a way to achieve this (using Apache)? I've found X-Accel-Redirect, but that is for NGinx
I've found a similar question here on SO: Alternative to X-sendfile in Apache for sending file given a URL? but that one is specifically targeting S3, Apache (and Ruby on Rails), while this question is more generic for Apache.