PDF previews cannot be rendered in backend for secured files

[instruccionesaldorso]

TYPO3 12.4.23
EXT:secure_downloads 6.1.0

We experience that PDFs uploaded to a secured folder cannot generate PDF previews in the backend like in other not secured folders, using Filelist BE module:

"ADMIN TOOLS > Environment > Image Processing" section shows the ability to Read PDFs properly.

Is this a bug from the extension? Or is there anything we should additionally do through some web server configuration? (we're using nginx)

[balasch]

There used to be a problem with the preview images that I thought was fixed. Are the previews shown correctly for other file types (PNG/JPG)?

[instruccionesaldorso]

@balasch Yes. PNG/JPG thumbnails are shown properly, as you can see in the next screenshot. Also notice the "green person icon" is not attached to the picture as for the other PDF files:

[balasch]

Too bad, then you can't just blame it on you and the server configuration.
Would it be possible for you to send me the server configuration? I have the problem that we are not very familiar with Nginx and it would be time-consuming for us to recreate the server configuration.

[instruccionesaldorso]

@balasch This happens to us in an nginx server, but also in a DDEV environment using nginx. Maybe you could just reproduce it there locally?

This is our .ddev/config.yaml file:

name: example
type: typo3
docroot: public
php_version: "8.1"
webserver_type: nginx-fpm
xdebug_enabled: false
additional_hostnames:
    - example2
additional_fqdns: []
database:
    type: mariadb
    version: "10.5"
performance_mode: mutagen
use_dns_when_possible: true
timezone: Europe/Berlin
composer_version: "2"
disable_settings_management: true
web_environment: []
nodejs_version: "16"
corepack_enable: false

We're using TYPO3 12.4.23 & EXT:secure_downloads 6.1.0.
And we use latest DDEV version 1.24.0.
If you still need our production nginx configuration, I can request it to my sysadmin and provide it to you.

[balasch]

DDEV config is great, thanks!

[instruccionesaldorso]

@balasch Sorry, I noticed something, now re-checking all configuration.

My parsing.securedFiletypes EM global option was: 'pdf|docx?|xlsx?',. That's why images were not having a secured icon inside the secured folder.
Now that I changed this option to 'pdf|docx?|jpg|xlsx?',, image thumbnail is not displayed.

So I guess it's an nginx problem all in all inside DDEV, as you mentioned?

Here there are my EM global options for the extension, in case it helps:

'secure_downloads' => [
            'allowPublicAccess' => '1',
            'cachetimeadd' => '3600',
            'createFileStorage' => '0',
            'documentRootPath' => '/',
            'enableGroupCheck' => '0',
            'excludeGroups' => '-1,0',
            'forcedownload' => '0',
            'forcedownloadtype' => 'odt|pptx?|docx?|xlsx?|zip|rar|tgz|tar|gz',
            'groupCheckDirs' => '',
            'linkPrefix' => 'securedl',
            'log' => '1',
            'outputFunction' => 'stream',
            'protectedPath' => '',
            'securedDirs' => 'fileadmin/user_upload/downloads',
            'securedFiletypes' => 'pdf|docx?|jpg|xlsx?',
            'skipCheckConfiguration' => '0',
            'strictGroupCheck' => '0',
            'tokenPrefix' => 'sdl-',
],

[balasch]

We will check it.

[instruccionesaldorso]

@balasch I also noticed this in EM Settings options in the Install Tool:

So I guess I should read the docs again, to fix also this issue.

[balasch]

Okay. Can you give me a feedback?

[instruccionesaldorso]

@balasch Some feedback: I could add this nginx rule to the default .ddev/nginx_full/nginx-site.conf file:

# TYPO3 - Block access to specific file types in fileadmin/user_upload/downloads
    # this is my rule
    location ~ fileadmin/user_upload/downloads/.*\.(?:pdf|docx?|xlsx?)$ {
        deny all;
    }

After restarting DDEV, Settings for the extension are shown properly:

Files cannot be accessed in the frontend (403 error).

Even with that, PDF thumbnails are not shown. All previes show in the console a 404 error e.g.

https://example.ddev.site/securedl/sdl-eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MzM0MTk5MDMsImV4cCI6MTczMzUwOTkwMywidXNlciI6MCwiZ3JvdXBzIjpbXSwiZmlsZSI6ImZpbGVhZG1pbi9fcHJvY2Vzc2VkXy9hLzgvcHJldmlld18yOTA2OTlfNF9HR1pfMDkxZWM5NDI1OS5wbmciLCJwYWdlIjowfQ.GgGtJcC_g1xxlMIhEziTVqhEX5hUs6Ob1tq2ECN_JX0/preview_290699_4_GGZ_091ec94259.png

Just to mention it, I upgraded extension locally to latest 6.1.1 version :)

[bmheins]

With ddev's default nginx configuration, all images will be tried to be delivered immediately, even if they don't exist. So the given URL will never get processed by TYPO3.

If you change the following section in .ddev/nginx_full/nginx-site.conf

    # Media: images, icons, video, audio, HTC
    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|webp|htc)$ {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

to

    # Media: images, icons, video, audio, HTC
    location ~ ^(?:fileadmin/|uploads/|_assets/|sdl/).+\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|webp|htc)$ {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

things should work as expected.

Unfortunately, I did not manage to only exclude images from securedl/ from being processed directly. So if you have an idea how to achieve that, it would be great if you share it.