Need help restricting direct url access to files and directories

Hello Apache experts, I need your help:

I am running Apache 2.0 on a Windows 2003 Server.

I used mod_alias to include a folder outside htdocs where uploads are stored. This is to allow the PHP code to find the document and display a link to the user.

The document is found based on a variable, when a user is in a specific area of the site, the documents that are relevant only to the record they are viewing are displayed in the form of a link. The user can open or save the document from the url posted inside our web system.

Currently, Anyone who has the url to the documents can view them by typing the specific URL in their browser, without ever going through the web system to view it. I want to disable this, and allow only users from the website to access these documents. I have tried to put these rewrite commands in the httpd.conf with no luck:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !=""
RewriteCond %{HTTP_REFERER} "!^https://mywebsite.com/.*$" [NC]
RewriteCond %{REQUEST_URI} "\.(doc|txt|pdf)$"
RewriteRule .* - [F]


Is there anything I can do on the server side to get this to work? I would prefer to keep the PHP code the same and enforce this on the server level.

I am trying to roll out this sit by the end of the week, so time is critical. Any help is greatly appreciated-

3drc
3drcAsked:
Who is Participating?
 
caterham_wwwCommented:
no, just
https://xyz\.domain\.com

but if you'd allow  https://xyz.domain.com and  https://www.xyz.domain.com, use
https://(www\.)?xyz\.domain\.com

looks like the referer is not logged, it should be right to 200 723. if the referer is empty, you should see 200 723 "-"

insert in httpd.conf (just search for CustomLog to find the area where it should go) and place in a new line:
CustomLog logs/access2.log combined

for testing purposes. This will also log the referer to a log called access2.log in your logs directory
0
 
caterham_wwwCommented:
don't use ", it's invalid in conditions 2 and 3

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?mywebsite\.com [NC]
RewriteRule !^.+\.(doc|txt|pdf)$ - [F]
0
 
caterham_wwwCommented:
remove the '!' above:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?mywebsite\.com [NC]
RewriteRule ^.+\.(doc|txt|pdf)$ - [F]
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
3drcAuthor Commented:
Does there have to be a backslash before a period in the url?Also, are the parentheses supposed to be there? For example,

!^https://(www\.)?my\.website\.com  


I tried it exactly as you suggested and had no luck. I apologize, but I am new to Apache directives. Thx for the help.
0
 
caterham_wwwCommented:
. = any character
\. = literal period -> intended here
(www\.)? = 0 or 1 of www.
The parentheses are grouping, https://www\.?  = www followed by 0 or 1 literal period

What referer can you find in the access log?
RewriteCond %{HTTP_REFERER} !^$ does allow a blank referer and your request must be end with .doc or .txt or .pdf
0
 
3drcAuthor Commented:
from my access log:

10.3.3.128 - - [11/May/2005:13:52:07 -0500] "GET /uploads/4/ HTTP/1.1" 200 723

Not sure where to look in the access log for a referer. Does it come after the IP address?

I am still a little confused by hwat you mean on the syntax in your previous comment. Say I want to put https://xyz.domain.com, would it be: https://www\.?xyz\.domain\.com? I apologize for my stupidity on this.


0
 
3drcAuthor Commented:
I would like to delete this question. I found an alternative solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.