1👍
I ended up using this: X-Accel-Redirect
So, files are available for users by paths like mysite.com/data/my_file.pdf
Django expects user to send GET request with auth token attached, checks it and adds X-Accel-Redirect and S3 auth headers to response. Nginx (in my case) catches that header and serves the file from S3 by redirecting request with attached headers to my S3 storage host.
0👍
The "expiring links" are S3 signed URLs that are valid for a period you can define with your request, and should be what you’re indeed looking for.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
Using pre-signed URLs for the client’s access to files like that should be no security issue if you made sure the permissions of the files in your bucket are private.
Though, if you really wish and after measuring the impact on your bandwidth, you could proxy the file transfer through your django app so that the S3 bucket url is not sent client side.