?
Solved

Need help restricting direct url access to files and directories

Posted on 2005-05-11
9
Medium Priority
?
185 Views
Last Modified: 2010-05-18
Hello Apache experts, I need your help:

I am running Apache 2.0 on a Windows 2003 Server.

I used mod_alias to include a folder outside htdocs where uploads are stored. This is to allow the PHP code to find the document and display a link to the user.

The document is found based on a variable, when a user is in a specific area of the site, the documents that are relevant only to the record they are viewing are displayed in the form of a link. The user can open or save the document from the url posted inside our web system.

Currently, Anyone who has the url to the documents can view them by typing the specific URL in their browser, without ever going through the web system to view it. I want to disable this, and allow only users from the website to access these documents. I have tried to put these rewrite commands in the httpd.conf with no luck:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !=""
RewriteCond %{HTTP_REFERER} "!^https://mywebsite.com/.*$" [NC]
RewriteCond %{REQUEST_URI} "\.(doc|txt|pdf)$"
RewriteRule .* - [F]


Is there anything I can do on the server side to get this to work? I would prefer to keep the PHP code the same and enforce this on the server level.

I am trying to roll out this sit by the end of the week, so time is critical. Any help is greatly appreciated-

3drc
0
Comment
Question by:3drc
  • 4
  • 3
7 Comments
 
LVL 27

Expert Comment

by:caterham_www
ID: 13980635
don't use ", it's invalid in conditions 2 and 3

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?mywebsite\.com [NC]
RewriteRule !^.+\.(doc|txt|pdf)$ - [F]
0
 
LVL 27

Expert Comment

by:caterham_www
ID: 13980648
remove the '!' above:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?mywebsite\.com [NC]
RewriteRule ^.+\.(doc|txt|pdf)$ - [F]
0
 

Author Comment

by:3drc
ID: 13980749
Does there have to be a backslash before a period in the url?Also, are the parentheses supposed to be there? For example,

!^https://(www\.)?my\.website\.com  


I tried it exactly as you suggested and had no luck. I apologize, but I am new to Apache directives. Thx for the help.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Expert Comment

by:caterham_www
ID: 13980833
. = any character
\. = literal period -> intended here
(www\.)? = 0 or 1 of www.
The parentheses are grouping, https://www\.?  = www followed by 0 or 1 literal period

What referer can you find in the access log?
RewriteCond %{HTTP_REFERER} !^$ does allow a blank referer and your request must be end with .doc or .txt or .pdf
0
 

Author Comment

by:3drc
ID: 13980964
from my access log:

10.3.3.128 - - [11/May/2005:13:52:07 -0500] "GET /uploads/4/ HTTP/1.1" 200 723

Not sure where to look in the access log for a referer. Does it come after the IP address?

I am still a little confused by hwat you mean on the syntax in your previous comment. Say I want to put https://xyz.domain.com, would it be: https://www\.?xyz\.domain\.com? I apologize for my stupidity on this.


0
 
LVL 27

Accepted Solution

by:
caterham_www earned 2000 total points
ID: 13981287
no, just
https://xyz\.domain\.com

but if you'd allow  https://xyz.domain.com and  https://www.xyz.domain.com, use
https://(www\.)?xyz\.domain\.com

looks like the referer is not logged, it should be right to 200 723. if the referer is empty, you should see 200 723 "-"

insert in httpd.conf (just search for CustomLog to find the area where it should go) and place in a new line:
CustomLog logs/access2.log combined

for testing purposes. This will also log the referer to a log called access2.log in your logs directory
0
 

Author Comment

by:3drc
ID: 14180282
I would like to delete this question. I found an alternative solution.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month14 days, 9 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question