Issue
Drupal allows for two methods of accessing files: private and public. While public files are served by a direct request to the file through Apache, private files should use PHP (instead of Apache) to serve the file contents. Because a private file should not be served by Apache, we recommend that the private files directory exist in a location Apache cannot read — outside the docroot.
Resolution
To provide separate private file directories for different environments or multisite websites, configure the file_private_path variable set per Drupal website or environment.
On Acquia Cloud, file_private_path can be set to the appropriate location, depending on your configuration:
/mnt/files/[site].[env]/files-private/mnt/files/[site].[env]/sites/[sitedir]/files-private(for multisites)
and in some cases, it may be set to:
/mnt/files/[site].[env]/sites/default/files-private
where [site] is the site name, [env] is the environment name, and [sitedir] is the directory for the multisite. If you want to use a different location for private files, add the following code to your website's settings.php file to detect both the Acquia environment and the current Drupal multisite:
Drupal 8:
if (isset($_ENV['AH_SITE_ENVIRONMENT'])) {
$settings['file_private_path'] = '/mnt/files/' . $_ENV['AH_SITE_GROUP'] . '.' . $_ENV['AH_SITE_ENVIRONMENT'] . '/' . $site_path . '/files-private';
}
else {
$settings['file_private_path'] = '{PATH}';
}
Drupal 7:
if (isset($_ENV['AH_SITE_ENVIRONMENT'])) {
$files_private_conf_path = conf_path();
$conf['file_private_path'] = '/mnt/files/' . $_ENV['AH_SITE_GROUP'] . '.' . $_ENV['AH_SITE_ENVIRONMENT'] . '/' . $files_private_conf_path . '/files-private';
}
else {
$conf['file_private_path'] = '{PATH}';
}
where {PATH} is the path for the local server's private files directory.
The code allows for a non-Acquia private files location to be set for working on a local server's copy of the website.
After you've saved your changes to settings.php, save the file system form located at http://[site_URL]/admin/config/media/file-system for all websites in all environments. This form, when processed, will create the correct directories. The path for your private files directory can be found on this form in the text area under Private file system path. Acquia Cloud users can also set their private file directory to ../acquia-files/files-private in the Drupal UI. This setting will propagate across all their environments.
The private files directory is now saved and will persist unless deleted. The act of saving a private files directory also creates an .htaccess file containing the command Deny from all. That command prevents the serving of files from the private directory.
Once the private file system path is saved, it can then be utilized by fields. For example, you could add a file field to the Articles content type. As you configure this field, you will see that you (and other website administrators) can choose the file's Upload destination by selecting either Public files or Private files. Files uploaded to this field are stored in your database's files_managed table with the private: protocol, instead of the public: protocol.
You can control access to files uploaded through a file field by clearing the Display check box next to the file before publishing the piece of content to which the file is attached. Because the file will not display, users won't be able to click it. They also won't be able to navigate directly to any files in the private directory.
For a more detailed level of access to private files, it may be necessary to write custom modules that interact with the private file system.
Accessing the private files directory via SFTP
To download or update files in the private files directory, you may need to do so through SFTP.
- Review our documentation on connecting to your server via that SFTP. Notably, you will require a public/private key pair to access your Acquia server this way.
- Once you connect to the server for the appropriate environment (let's say,
prod), you will see that environment as a directory. Click through to view the contents of that directory. - The directory you will look for is whatever comes after
/mnt/files/[site].[env](discussed above). So if the example you have is/mnt/files/[site].[env]/files-private, the directory you should look for now, after clicking through the environment directory, isfiles-private.