可以将文件从客户端计算机上传到托管表单的网络服务器外部的服务器吗?
为了设置该场景,需要三台计算机:(1) 客户端计算机,(2) Web 服务器,(3) 和文件存储服务器。这三台机器不在同一局域网内,也不在同一域内。 Web 服务器运行 Apache 和 PHP,存储服务器也运行 IIS7 和 PHP。
我有一个网页(托管在网络服务器上),其中包含文件上传模块。当用户从该网页上传文件时,我希望该文件直接存储到存储服务器上,而不是 Web 服务器本身。我想避免通过 cURL 或“scp”等系统级命令将文件从网络服务器传输到存储服务器,因为这似乎浪费网络资源和用户的时间。
这是否可以安全地完成,以及建议的实现方式是什么?
我确实在 GitHub 上找到了 blueimp 提供的一个不错的多文件上传器,它可以执行跨域上传,但按照设置说明进行操作后跨域上传,我得到一个我的浏览器调试控制台出现错误,内容如下:
XMLHttpRequest 无法加载
http://storageserver.com/scripts/process_uploads.php。 Access-Control-Allow-Origin 不允许来源http://webserver.com。
虽然我意识到这不是最安全的代码,但我将以下内容添加到 process_uploads.php 脚本中以进行故障排除:
header('Access-Control-Allow-Origin: *');
为了澄清起见,这是我编写由 jQuery-File-Upload 插件解析的表单元素的方式:
<form id="fileupload" action="http://storageserver.com:8080/scripts/process_uploads.php" method="POST" enctype="multipart/form-data">
有人成功实现跨域文件上传吗?如果是这样,您能否阐明什么是可靠的解决方案?
To setup the scenario, there are three machines: (1) The client's machine, (2) the webserver, (3) and a file storage server. These three machines are not within the same local-area-network, nor are they within the same domain. The webserver is running Apache with PHP, and the storage server is running IIS7 with PHP as well.
I have a webpage--hosted on the webserver--that contains a file-upload module. When a user uploads a file from that webpage, I want the file to be stored directly onto the storage server, not the web server itself. I want to avoid transferring the file from the webserver to the storage server via cURL or a system-level command like "scp" because that seems like a waste of network resources and the user's time.
Is this possible to do securely, and what are the recommended implementations for doing so?
I did find a nice, multi-file uploader on GitHub by blueimp that can do cross-domain uploads, but after following the directions for setting up cross-domain uploads, I get an error from my browser's debug console that reads:
XMLHttpRequest cannot load
http://storageserver.com/scripts/process_uploads.php. Originhttp://webserver.comis not allowed by Access-Control-Allow-Origin.
While I realize it is not the most secure code, I added the following to the process_uploads.php script for troubleshooting purposes:
header('Access-Control-Allow-Origin: *');
For clarification purposes, here is the way I wrote the form element that is parsed by the jQuery-File-Upload plugin:
<form id="fileupload" action="http://storageserver.com:8080/scripts/process_uploads.php" method="POST" enctype="multipart/form-data">
Has anybody has success implementing cross-domain file uploading? If so, can you shed some light as to what might be a robust solution.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我建议您购买一台时间机器,可以回到几年前,那时网络是一个更值得信赖的地方,而浏览器无法防范此类事情。无论如何,跨域规则似乎每隔几个月就会改变一次。如果可以的话,明智的做法是避开那些蠕虫。
我看到两个选择,但都不是很好。毫无疑问还有更多。
首先:将表单提交到您的文件服务器,并让它将表单提交到您的 Web 服务器。
这(当然很大程度上)取决于两个服务器之间的可靠连接。您说过您不想将文件从 Web 服务器复制到文件管理器。因此,请以其他方式移动数据。几个字节的形式比在另一个方向复制文件的影响要小。因此,将整个表单提交到文件服务器,并让 PHP 表单处理程序将非文件部分(包括源 IP 和会话标识符)提交到 Web 服务器。您甚至不需要在文件管理器上存储表单数据,只需将 Web 服务器的结果转发回浏览器即可。设计时不要忘记考虑身份验证和安全性。
第二:使用JavaScript或Flash上传两个表单
将非文件表单内容放在一个表单中,将文件放在单独的表单中。捕获一个表单的提交并让它也提交另一个表单(到另一个服务器)。这是一个糟糕的解决方案,因为它依赖于浏览器上的 JavaScript,而浏览器并不总是存在。 (您可能会通过要求它来破坏您的网站,但我不建议这样做。)由于您已经在使用 jQuery,因此您可能可以自己找到解决方案。
我不知道你会如何在 Flash 中做到这一点,但我确信这是可能的。我同样确信您不应该在 Flash 中执行此操作。 Fie 于所有闭源“网络”技术。始终使用开放式工具。
这就是我所拥有的一切。但我是系统管理员。我有兴趣看看其他人想出了什么。
I recommend you acquire a time machine and can go back a few years to when the web was a more trusting place, and browsers didn't protect against this sort of thing. Cross-domain rules seem to change every few months anyway. You'd be wise to avoid that can of worms if you can.
I see two options, neither of them great. There are undoubtedly more.
First: Submit forms to your file server, and have it submit forms to your web server.
This depends (heavily of course) on reliable connectivity between the two servers. You said you didn't want to copy files from the web server to the filer. So move your data the other way instead. A few bytes of form will be less of a hit than copying files in the other direction. So submit the whole form to your file server, and have a PHP form handler there submit the non-file portions (including the source IP and a session identifier) to the web server. You don't even need to store form data on the filer, just have it relay the web server's results back to the browser. Don't forget to consider authentication and security when you design this.
Second: Use JavaScript or Flash to upload two forms
Place your non-file form content in one form, and the file in a separate form. Catch the Submit of one form and have it submit the other form (to the other server) as well. This is a BAD solution because it relies on JavaScript on the browser, which isn't always there. (You can break your site by requiring it, but I don't recommend it.) Since you're already using jQuery, you can probably figure out a solution on your own.
I don't know how you'd do this in Flash, but I'm sure it's possible. And I'm equally sure you shouldn't do it in Flash. Fie on all closed source "web" technologies. Always use open tools.
That's all I've got. But I'm a sysadmin. I'll be interested to see what other folks come up with.