?
Solved

Mod ReWrite - Protect an image.

Posted on 2009-05-12
15
Medium Priority
?
397 Views
Last Modified: 2012-05-06
I have an image in a directory called:

/charts/chart.png

I want my index page to be able to access the file but I want to exclude everybody else from accessing the file.

Could somebody write me the .htaccess file with the mod rewrite rules?

Assume the following directory structure.

/index.php
/charts/.htaccess
/charts/chart.png

When somebody visits index.php I want them to see /charts/chart.png.

When somebody visits /charts/chart.png I want them to see nothing.
0
Comment
Question by:lwfuk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
15 Comments
 
LVL 3

Assisted Solution

by:osintsev
osintsev earned 1000 total points
ID: 24368307
Your /charts/.htaccess looks like this
RewriteEngine  On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule ^(.*)$ - [F]

Open in new window

0
 
LVL 34

Assisted Solution

by:Beverley Portlock
Beverley Portlock earned 1000 total points
ID: 24368345
Try adding these lines

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|swf)$ - [F]

Basically, anyone who attempts to view an image but who was not referred by anyone on your website is denied (gets a [F]orbidden error)
0
 
LVL 3

Expert Comment

by:osintsev
ID: 24368352
But keep in mind this is not 100% protection (but quite sufficient), because  Referer: http-header can be forged by web client.
0
How To Reduce Deployment Times With Pre-Baked AMIs

Even if we can't include all the files in the base image, we can sometimes include some of the larger files that we would otherwise have to download, and we can also sometimes remove the most time-consuming steps. This can help a lot with reducing deployment times.

 

Author Comment

by:lwfuk
ID: 24368490
Dear osintsev / bportlock

I'm having trouble.

I put the code in an htaccess file at both the root level and at the directory level and the rules are being ignored.

Is it because I placed the htaccess file in the wrong place or do I need to modify the apache config file?

How can I tell if mod rewrite is on?
0
 

Author Comment

by:lwfuk
ID: 24368500
PS I have root access to the server.
0
 
LVL 3

Expert Comment

by:osintsev
ID: 24368521
In your httpd.conf for this directory

AllowOverride All

Open in new window

0
 
LVL 3

Expert Comment

by:osintsev
ID: 24368542
Something like this
<Directory /var/www/>
    Options -Indexes FollowSymLinks MultiViews
    DirectoryIndex main.php
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>

Open in new window

0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 24368599
If you have root access then placing these directives in the relevant <VirtualHost> section is the way to go. Faster than .htaccess and you do not have to worry about Overrides
0
 
LVL 3

Expert Comment

by:osintsev
ID: 24368667
If you placing these directives in the relevant <VirtualHost> section be careful, because these rules will work for all files on your site, not only for files in the /charts/ directory. In this case, you want to use  relevant <Directory> section inside <VirtualHost>
0
 

Author Comment

by:lwfuk
ID: 24368910
Still having problems and it's late so I'll return to this tommorrow.

I'll share the points equally between you.

Many Thanks.

Adrian Smith
London
0
 
LVL 3

Expert Comment

by:osintsev
ID: 24369061
A bit surprised that equally, given that bportlock almost copied my example and give one not accurate suggestion which in general does not influence an essence of the matter. I have no claims, but I was a little upset, but it is your right.
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 24369086
"If you placing these directives in the relevant <VirtualHost> section be careful, because these rules will work for all files on your site,"

Indeed, but some people do it that way, otherwise you are correct and it could be installed along the following lines

<VirtualHost .... >
   ServerName .....

   <Directory /var/www/yourdomain.com>
      ..... other directives
      RewriteEngine On
      RewriteCond %{HTTP_REFERER} !^$
      RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
      RewriteRule \.(gif|jpg|png|swf)$ - [F]
   </Directory>

   ... more directives
</VirtualHost>

0
 

Author Comment

by:lwfuk
ID: 24375281
Dear osintsev

I would have given you the full marks but bportlock did not copy you. bportlock added the important line.

RewriteRule \.(gif|jpg|png|swf)$ - [F]

Sorry if your feelings are hurt but this is a forum for engineers who want to help each other and I am greateful to you both.

Many Thanks,

Adrian Smith
London
0
 

Accepted Solution

by:
lwfuk earned 0 total points
ID: 24375305
In the end I found a better solution which I documented here.

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_24401292.html
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 24375886
@Osintsev - just to be clear, I did not copy your solution, the example I gave is based on the one in the Apache documentation on how to prevent hotlinking. It is often the case that a standard solution is widely known and offered by several experts on the forum more or less simultaneously. See this one were cxr and myself both posted virtually the same answer twice

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_24401593.html


In this question we both offered differing suggestions so I feel that the OP was correct to split the points. I have (on other questions) given correct solutions only to see the points going to whoever posted last.

@lwfuk - thanks for the points and I'm glad you solved your problem. I notice that the solution you settled on was a variant of the suggestions above in that it depends on determining the referrer. Still, as long as it works....
0

Featured Post

Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question