Media Firewall

From PGVWiki
Jump to: navigation, search
Media Firewall
Author: User:Ljm
Introduced in Version: 4.1.2,

Revision 1376

Introduction Date: 3 August, 2007

The Media Firewall (see 1749817) and watermarking (see 477081) features were released in phpGedView 4.1.2.


High-level overview:

The Media Firewall does several things to protect your media items:

First and foremost, it enforces your PGV privacy settings. Without the Media Firewall, PGV can "hide" the urls to your private media items, but if someone figures out the right urls they can easily view them. The Media Firewall enforces your PGV privacy settings, ensuring that nobody can view your confidential images.

Second, the Media Firewall can watermark your images to make it harder for someone to take and post them on another site. You can choose to watermark images for only certain user types, if you wish.


The Media Firewall is able to do this when you move your sensitive images out of the standard web-accessible media directory into the protected media directory. When someone tries to view an image that no longer exists in the web-accessible directory, a 404 error occurs and the Media Firewall is activated. It decides whether to:

  • show the image or not, based on who is trying to view it and what the privacy settings for the image are
  • watermark the image, based on user type

The path used to view images from the web does not change.


There are four steps to using the Media Firewall:

1) Configure your site 2) Move your images to the protected directory 3) Tell PGV which images need to be protected 4) Test it

Configure your site

Prerequisites

  • You will probably want to move your index directory out of the web root. Fully test this before enabling the media firewall.
  • Make sure your $MEDIA_DIRECTORY setting does not have "../" in it. The media firewall does not support this; it causes problems with sessions since you would have to run scripts outside of the /phpGedView/ directory.

Note: Except as noted above, DO NOT CHANGE your MEDIA_DIRECTORY setting. If it used to say "media/" it should still say "media/" after the media firewall is enabled.

Configure the Media Firewall Root Directory

By default, your protected media directory will be placed in your $INDEX_DIRECTORY. If you want to move it elsewhere, specify the directory here:

  • Choose Manage GEDCOMs and edit Privacy
  • EDIT the Configuration file
  • Expand the MULTIMEDIA category, then expand the MEDIA FIREWALL category
  • Enter the path in the "Media Firewall Root Directory" area.

The primary reason to place it somewhere else is to allow multiple installations of PhpGedView to share the same media files.

Be sure to use the same "Media Firewall Root Directory" for all GEDCOMs on your site.

If you specify a custom path, you will need to create the $MEDIA_DIRECTORY at that location and make sure it is world-writable. For example, if your setttings are

MEDIA_FIREWALL_ROOTDIR : /user/somedir/
MEDIA_DIRECTORY        : media/

then you need to create this directory and make it world-writable:

 /user/somedir/media/

If your settings are

INDEX_DIRECTORY        : /safe/place/index
MEDIA_FIREWALL_ROOTDIR : blank
MEDIA_DIRECTORY        : my_stuff/

then PGV will create this directory:

 /safe/place/index/my_stuff/

to hold your media.

Enable the media firewall

  • Choose Manage GEDCOMs and edit Privacy
  • EDIT the Configuration file
  • Expand the MULTIMEDIA category, then expand the MEDIA FIREWALL category
  • Set "Use Media Firewall" to YES

You should do this for every GEDCOM on your site. If you share a file between GEDCOMs and that file is in the protected directory, it will only display for the GEDCOMs which have the Media Firewall enabled.

Apache

If your site is hosted on Apache, PGV will automatically create an .htaccess file in your media directory that intercepts 404 errors and sends them to the media firewall script.

IIS

Note: IIS Support was added in PhpGedView 4.1.3 (currently in SVN only)

If your site is hosted on IIS, you will need to redirect "HTTP 404 – File not found" errors for your standard media directory to the "mediafirewall.php" script in your root phpGedView directory. This requires altering the "Custom Errors" IIS configuration for your website. See [http://support.microsoft.com/kb/302570] for details. If your phpGedView root directory is your website root, the correct 404 error redirection settings for your standard media directory are:

 404 URL /mediafirewall.php

Note that this step requires administrator access to your website host, so you may need to have your hosting service implement it for you. At least one user has successfully configured IIS in this way.

Decide whether to protect thumbnails

By default, thumbnails are not stored in the protected media directory. If you want to protect thumbnails:

  • Choose Manage GEDCOMs and edit Privacy
  • EDIT the Configuration file
  • Expand the MULTIMEDIA category, then expand the MEDIA FIREWALL category
  • Set "Protect Thumbnails of Protected Images" to YES

Enable watermarking

  • Choose Manage GEDCOMs and edit Privacy
  • EDIT the Configuration file
  • Expand the MULTIMEDIA category, then expand the MEDIA FIREWALL category
  • Set "Who can view non-watermarked images?" to "Show only to Authenticated users" or higher.

You can also set the following options:

  • Add watermarks to thumbnails? Y/N (Your media lists will load faster if you don't watermark the thumbnails.) Note: Thumbnails must be in the protected image directory in order to be watermarked. To put thumbnails there automatically, set "Protect Thumbnails of Protected Images" to YES (see previous entry)
  • Store watermarked thumbnails on server Y/N (Storing a watermarked copy of thumbnails shouldn't take too much space, and is the best way to speed up media lists while retaining the watermarks.)
  • Store watermarked full size images on server Y/N (For people who have plenty of disk space, this will save time generating the watermarked image.)

Move your images to the protected directory

You can protect some/all/none of your images behind the media firewall.

Decide which images you want to protect, and move them from the /phpGedView/media/ directory into your MEDIA_FIREWALL_ROOTDIR/media/ directory.

You can either do this yourself manually or you can use phpGedView/media.php to select and move images to/from the protected directory.

Move the images manually

Keep the entire path to your images the same, for instance:

 /phpGedView/media/dir1/dir2/file.jpg

becomes:

 index/media/dir1/dir2/file.jpg

If you want to protect the thumbnail of the image, be sure to move it as well. For example:

 /phpGedView/media/thumbs/dir1/dir2/file.jpg

becomes:

 index/media/thumbs/dir1/dir2/file.jpg

Be sure you MOVE the files. If you keep the files in your normal media directory, a 404 error will not occur and the media firewall will have no effect.

In case it isn't clear, note that you WILL still have a /phpGedView/media/ directory and it must remain world-writable. At a minimum, it will contain the .htaccess file that enables the media firewall to work.

Allow phpGedView to move the images

Visit the /phpGedView/media.php file on your site (you must have editing enabled in order to do this). You can move individual files by clicking the "Move to standard directory" or "Move to protected directory" links. You can move entire directories (and subdirectories) by clicking the "Move Standard" or "Move Protected" buttons. Thumbnails will be moved to the protected directory as well if you have set "Protect Thumbnails of Protected Images" to YES.


Note: All images you move to the protected directory will benefit from the watermarking feature. However, if you want only certain people to be able to view the images you must also perform the next step.

Tell PGV which images need to be protected

There are several ways to tell PGV which images are sensitive:

Link the image to a private individual

If you link the image to a private individual (such as a living person), then the image is considered private.

Question: Are there any Admin settings which affect this? Or does it always work this way?

Link the image to a private source

If you link the image to a private source, then the image is considered private.

There are at least a couple of ways to make a source private:

  1. Use the Privacy Settings by ID functionality (described below for media items, same technique for sources)
  2. Link the source to a private repository
    • Use the Privacy Settings by ID functionality to make a repository private
  3. Make all sources private:
    • Choose Manage GEDCOMs and edit Privacy
    • EDIT the Privacy file
    • Modify the "Show sources" dropdown

Use the Privacy Settings by ID functionality:

  • Choose Manage GEDCOMs and edit Privacy
  • EDIT the Privacy file
  • Choose "Privacy Settings by ID"
  • Lookup the media which needs to be protected and choose the appropriate authentication level

Use the RESN Privacy functionality:

First, make sure RESN Privacy is enabled:

  • Choose Manage GEDCOMs and edit Privacy
  • EDIT the Privacy File
  • Set "Use GEDCOM (RESN) Privacy restriction" to YES

Then (assuming editing is enabled), go to the medialist and choose EDIT DETAILS for the image you wish to protect. Expand the RESTRICTION option at the bottom of the form and select PRIVACY or CONFIDENTIAL.

Notes

Note: You must remember to move each file you wish to protect to the index directory. If you fail to move the files, a 404 will not occur and the Media Firewall will not get the chance to activate.

Question: Are there any other media-related privacy options in PGV?

Test it

First, go to the medialist as an admin and verify that you can view a private image. Copy the direct url to the image and save it to your clipboard.

Logout and try viewing the image as an non-authenticated user. If you moved the image to the correct directory and set your privacy settings appropriately, you will not be able to see the image.

About Watermarking

The media firewall auto-detects the capabilities of your server, and will apply a large diagonal text watermark to your image if your system supports it.

The requirements for this type of watermarking are: PHP compiled with GD and FreeType support.

If your system does not support this, the media firewall will add basic some horizontal text watermarks to your images. On large images, these are barely visible. Try to get your host to support GD and FreeType if at all possible.

If you see a mixture, where some images have the nice watermarking, some have the fallback watermarking and some are not watermarked at all, check your PGV log as described below. Some of your images are probably corrupt.

Troubleshooting

Strange Behavior

If the standard PGV image viewer shows an all-black image, or if the Album says "Unable to open image", check your PGV log file as described below. The image is probably broken.

If you don't see any errors in your log file, try viewing one of the images directly (not through the album or image viewer). In other words, visit the url directly:

 www.yoursite.com/phpGedView/media/path/image.jpg

Note any error messages you see (IE tends to show these errors better than Firefox). If the errors you see are not described on this page, please post a note to the Help Forum.

Error Messages

404 Not Found

When you enable the media firewall, it adds an .htaccess file to your /phpGedView/media/ directory. This is all that is needed on most Apache-based systems. If you are getting a 404 error from Apache you need to contact your host and ask them to add "AllowOverride FileInfo" to your site configuration. See [1]

If you are not using Apache you will need to configure your system to detect 404 errors from the /phpGedView/media/ directory and have them processed by the /phpGedView/mediafirewall.php script.

No Media Found

The requested file was not found in the protected image directory (by inference, it is also not in the standard image directory)

Privacy restrictions prevent you from viewing this item

This could be one of two things:

1) The requested file does exist in the protected media directory but it is not attached to a GEDCOM record. The media firewall assumes this is a sensitive image and only allows admin users and editors to view it.

2) The requested file does exist in the protected media directory, but PGV privacy rules do not allow the current user to view it.

Error: The Media Firewall was launched from a directory other than the media directory.

Your server should only send 404 errors from the /phpGedView/media/ directory to the media firewall. This error means your server is sending 404 errors from other directories to the media firewall as well. This will most likely happen if you mis-configure IIS.

Log entries

You should occasionally check your log file for error messages relating to the Media Firewall:

  • Go to the admin page
  • Choose View Log Files

Any message which starts with "Media Firewall error" should be investigated as described below.

Media Firewall error: >Unknown Mimetype< for file >FILENAMEHERE<

If you see this, please open a support ticket asking to have the media firewall to support your media type. Please put the full error message into the ticket.

Media Firewall error: >This media file is broken and unable to be watermarked< in file >FILENAMEHERE< (FILESIZE)

This indicates there is a problem with a particular media file. Try opening the file in your favorite image processing software and save out a new version.

Note that the media firewall will be unable to add watermarks to this file until you upload a new version.

Media Firewall error: >imagettftext() [<a href='function.imagettftext'>function.imagettftext</a>]: Could not find/open font< in file >FILENAMEHERE< (FILESIZE)

If you see this error on ALL your images, and you only see the fallback style of watermarking (horizontal text), please post a note to the Help forum.

If this error happens only on some of your images, try opening them in your favorite image processing software and saving out a new version. It may? help to reduce the file size of these image. We are not really sure what causes this, but we have seen it happen.

Reminders

If you have multiple gedcoms, make sure you set "Use Media Firewall" and "Media Firewall Root Directory" to the same thing for all Gedcoms.

Note: The media firewall does cache your images. You may need to CTRL-R refresh to force your browser to bypass the cache. If that doesn't help, clear your browser cache entirely.

Getting Help

If you need help, please post a question in the help forum with the following information about your configuration:

  • Multimedia Directory:
  • Use Media Firewall:
  • Media Firewall Root Directory:
  • Protect Thumbnails of Protected Images:
  • Who can view non-watermarked images:
  • Add watermarks to thumbnails:
  • Store watermarked thumbnails on server:
  • Store watermarked full size images on server:

Please provide urls to your site if at all possible.


When describing the problem, please provide details about what page you were on and what error messages you received. Also specify whether you did this while logged in or not.

Try viewing an image file directly, bypassing the mediaviewer, lightbox, etc. For instance:

 www.domain.com/phpGedView/media/path/image.jpg

Try it as an authenticated user and as a regular user and let us know what happened. Don't forget to CTRL-R refresh after logging out.