I want to restrict access to a file or files using .htaccess file. Basically, no one should be able to download file(s) using direct link to the file. However, the file should be accessible from my website.
For instance, say I have a file called Presentation.ppt. I want the visitor to have access to it through my website, but if they try to download it or access it using direct link then the server should reject the request.
Is it possible to do that using .htaccess?
Thank you in advance,
You can deny access to the directory for every IPA but the server's:
<Directory /dir/of/presentation>
Order Allow,Deny
Allow from 127.0.0.1
Deny from All
</Directory>
That wonk work, as you pointed out.
How about using Mod Rewrite with a rule that maps /dir/of/presentation/* to a forbidden page. That way a direct link won't work. A request for http://site/content/presentation.ppt
could get redirected to http://site/forbidden.html
Internally, you could make a link to http://authorizedRequest/presentation.ppt map to http://site/content/presentation.ppt
It's just security through obscurity. It wouldn't prevent anyone from typing your "secret" URI into their browser directly.
For instance, say I have a file called Presentation.ppt. I want the visitor to have access to it through my website, but if they try to download it or access it using direct link then the server should reject the request.
Is it possible to do that using .htaccess?
It's possible but there's ways to get around it. You need to check against the referer sent by the browser, but anyone can spoof that and sometimes a browser may choose to not even include a referer.
If you are trying to protect the file Presentation.ppt, put these rules in the htaccess file in your document root:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^(https?://)?your_website.com
RewriteRule ^/?path/to/Presentation.ppt - [L,F]
If you want to protect a folder /path/images/ then:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^(https?://)?your_website.com
RewriteRule ^/?path/images - [L,F]
Thank you all for your answers. I have tried all of your suggestions, but I still couldn't get it working. However, I did come up with a solution that does work.
Step 1: Disable or turn off Option Indexes on your web server by removing the word indexes leaving everything else the same. In some instances, you may be able to do this using .htaccess file. If you are unable to do this with .htaccess, then you will have to look for httpd.conf file in your server. It is usually located at etc/apache/httpd.conf or etc/httpd/conf/httpd.conf. Once you find it, turn this option off in there.
Step 2: Create a folder within your webpage folder and call it whatever you want but make sure it is not easily guessable or that it is obvious (i.e. Joe33CompanyOCT2MeBoss). Then, move the files you want to hide or protect from your visitor into this folder.
Step 3: Within robot.txt file, disallow all bots or crawlers from indexing your folder or the files within this folder by entering, "Disallow yourfoldername."
Step 4: Then you will have to create a PHP file using a similar code below. The code below will force download.
$File1 = 'http://yourwebsite.com/Joe33CompanyOCT2MeBoss/Presentation.ppt';
header("Content-Disposition: attachment; filename=\"".basename($File1)."\"");
header("Content-Type: application/force-download");
ob_end_clean();
flush();
readfile($File1);
exit;
This way direct path to the file is hidden from your visitor and even though they can download the file directly they simply don't know the actual URL to the file, because force download php code doesn't reveal the actual path to the file. So, now my visitors to my website has to go through my webpage for downloading this file instead of directly.
Following stackoverflow questions have been very instrumental in helping me solve my programming issues. Thanks,
How to Automatically Start a Download in PHP?
php file force download
The easiest (though not bulletproof) is to redirect the user agent when the HTTP_REFERER is not correct. This can be done using mod_rewrite in the server configuration or (second choice) inside a .htaccess like file. It helps against simply hotlinking (links referencing your file by url).
You should read the fine documentation of moapaches d_rewrite.
Related
I am running a Wordpress SSL-Website which requires to have one tab to be non-SSL because it runs a non-secure websocket and it would be rejected due to mixed content otherwise.
In that regard I am doing a redirect in the .htaccess file:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(stage/)$
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*) http://%{HTTP_HOST}/$1 [R=301,L]
which indeed makes this specific tab unsecure, however, it also results to the following two issues:
1.) After the switch from https to http I am loosing any wordpress status information - it basically behaves as if the user is not logged in. Going back to the other secured tabs the information is back again.
2.) This specific tab includes three iFrames which I may only include via https and not via http. When including them via http I am on top of issue 1.) also loosing the wordpress data base access at all.
In fact the switch from https to http is only a workaround but currently a fine compromise for the meantime. It works without the issues mentioned in Joomla and now I would like to know if there is way to get rid of them in Wordpress as well.
Thanks in advance,
best
Alex
WordPress' SECURE_AUTH_COOKIE is equal to 'wordpress_sec_' . md5(get_site_option('siteurl')). So as you change environments (secure to non-secure) that siteurl will change and your session cookie hash will be different. You'll need the user to login on BOTH secure AND non-secure before proceeding.
The code in question is located at wp-includes/default-constants.php. Since this runs before any plugins/theme code. You'd have to hack this at the wp-config.php level. Then check out it's use in the wp-includes/pluggable.php file to see future modifications are needed. The pluggable file runs after plugins init, so you can hook into filters there, if needed.
really weird behaviour.
On a subdomain of mysite https://staging.example.com I have the following htaccess.
<IfModule mod_rewrite.c>
RewriteEngine On
Redirect 301 /support /support/subsection
</IfModule>
this works perfectly fine on https://example.com but does not on staging.mysite.com
Here this happens: https://staging.example.com/support/subsection/subsection/subsection/subsection/subsection/subsection/subsection/subsection
I get this repeated pattern as if there was some loop or something going on
Redirect directive requires a complete URI as the redirect target. However, you can use RedirectMatch that allows you to specify a relative URI as the target.
RedirectMatch 301 ^/support$ /support/subsection
I think you get all those subsections for two reasons. The first reason is that you don't use a complete URI for the redirect. I think the documentation claims that you don't have to use it, a documentation typo I guess.
The second reason is because you don't tell the engine explicitly what you want, thus it will not always work as expected. When using .htaccess the rules are processed each time the .htaccess file is called. Since you didn't tell where to start and to end (^ $) it will (I think) be processed once per character and that seems to hold. However, if you use the httpd.conf file instead it would only be processed once.
Another benefit if you use httpd.conf is that you can enable logging to investigate complex mod_rewrite directives. To enable logging add the following to httpd.conf:
RewriteLog /var/log/apache/rewrite.log
RewriteLogLevel 2
I have an application written with the CakePHP framework and it is currently located in httpdocs. I want a few pages to be redirected to https://
Basically this shouldn't be a problem to detect whether the user is already on https://... or not. My issue is a different one: In my opinion I would need to make a copy of the whole project and store it in httpsdocs, right? This sounds so silly but how should it work without duplicating the code? I think I miss something but I don't get it ...
I have never had to copy the code for ssl. You should specify in the vhost for the site what the path is.
On apache there is a vhost for each, ssl and non ssl. Both can have the same webroot path.
If your webhoster requires you to put the https part of your website in httpsdocs, then you will need to put something there. But not the whole project: maybe only the /web part (the part that is actually served up by the webhoster).
Something like
/cake/app/ --> your app code
/httpsdoc/.. --> index.php and possibly css stuff, images etc
/httpsdocs/.. --> copy of index.php and the rest as well
Of course, you could also use some internal redirect in .htaccess
One suggestion: now that google indexes https urls, you could also choose to make the whole site available through https.
I want to protect some files in my server from download but my site needs to have access in them. I want to protect some subtitles files, which are needed to be accessed by site, but I don't want anybody to download them. The site is hosted.
For example some sites use some strange strings that are connected with user, video and IP. Can be used something like this for my case.
http://www11.some-site.com:182/d/qygiatnqvsulzrqmk7n6nbhddbcscvyguy4auc3fn4nvf23jp64tjcpa/File-needed.mp4?start=0
If you are using Apache, You have to use rewrite rules in your .htaccess file. IF you are using other HTTP Server brand, you should use almost the same logic that I will show here, so check your HTTP server manual in that case.
Explain:
When you type www.me.com/index.php the PHP system puts the content generated by the echo commands you use inside your code.
When you type www.me.com/myfiles/iou345yo13i2u4ybo34ybu3/passwords.txt your server will put the file contents to the client browser, which will ask you to download it as a file or show as a page, depending of the file extension.
Now, if you do something like this in your .htaccess file:
RewriteEngine On
RewriteRule ^myfiles/([^/]*)^.pdf$ /index.php?file=$1& [L]
# avoit direct access to your server directories file listing
Options All -Indexes
You will type www.me.com/myfiles/file123.pdf but the server will execute index.php with the file name as content of the "file" parameter, and there in the code, you will be able to check the session to see if the user has the authorization to download this file.
If the user has the authorization, you then use the readfile() function to send the file to the user and he will not recognize where it came from (I mean the real path).
Look on how to do this here:
PHP - send file to user
Change to 644 permissions in your content.
I'm thinking about moving one of my clients mysql db to Rackspace could databases. Application is using Cakephp.. I would like to know if someone has experience doing so or will this work just by editing host/user/pass in the database.php file?
I havn't done so but Rackspace has a tutorial about doing so :
http://www.rackspace.com/knowledge_center/article/installing-cakephp-on-cloud-sites
It seems pretty simple, so you should not have any problems
Steps for cake
Locate the .htaccess file in the content directory. After "RewriteEngine on", add a new line with "RewriteBase /" to the .htaccess file and save the file back to the site. You will need to repeat this step for the rewrite rules in the .htaccess files in the app and app/webroot directories.
Load the site in your browser. You will notice several warnings concerning the installation. The first warning will be the following: Notice (1024): Please change the value of Security.salt in app/config/core.php to a salt value specific to your application [CORE/cake/libs/debugger.php, line 556].
Open app/config/core.php file and search for Security.salt. Change its value to whatever characters or string you would like, then save and close the file.
In the app/config/directory in FTP, rename the database.php.default file to be database.php.
Open app/config/database.php and scroll down to the bottom of the page to find the database connection information. Enter your database host name, user name, password and hostname, then save and close the file.
Reload your site in your browser.