I'm running into an issue using xsendfile with my Rails 3 app.

I'm using capistrano to manage deployments and in each release, there is a symbolic link to the shared/assets dir (e.g. /var/www/site/releases/1234/assets => /var/www/site/shared/assets). The problem is that that XSendFile doesn't seem to follow the symbolic links. In my apache logs, I'm seeing the following error:

The given path was above the root path: xsendfile: unable to find file: /var/www/site/releases/20110406205607/assets/pdfs/2/original/test.pdf

I have the XSendFilePath config set as

XSendFilePath /var/www/site/shared/assets

If I switch the config to:

XSendFilePath /var/www/site/releases

Then everything works fine. So I have a couple of questions:

1) Is there a way to make the XSendFilePath follow the symbolic link?

2) Is there a security risk with setting the XSendFilePath to my releases dir? In other words, do I open up access to all of that dir?

Are you creating the link using an after "deploy:finalize_update" task similar to this:

task :storage_link, :except => { :no_release => true } do
    run "ln -nFs #{deploy_to}/shared/assets #{latest_release}/assets"
end

This makes XSendFilePath see the link as /var/www/site/current/assets which puts it inside of the root path.

Also make sure the user running your app owns and has write permissions on /var/www/site/shared/assets.