mod_rewrite not acting as I expect

I want to prevent mp3 files on my site from being downloaded directly by someone who has figured out the path to the files.  The path to track1 of "album" is:

                               http://www.mysite/music/album/track1.mp3

In the music directory I've added a .htaccess file that contains
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
RewriteRule \.mp3$ - [F]

Open in new window


My understanding of this code is that  if HTPP_REFERRER is not empty and is not  a page on my own site, any request that ends in .mp3 will be failed with a 403 error.

But this .htaccess file doesn't seem to protect anything.  I can still download an mp3 by placing

    http://www.mysite.com/music/album/track1.mp3

into a browser.

Does anyone see what the problem is?

Thanks for any ideas.

Steve
stevaAsked:
Who is Participating?
 
ravenplCommented:
The problem is that the mp3 is accessed from the player rather than browser. Browser would surely set the correct referrer, while player is another application(flash?) embedded into the webpage. The Q is if the player sets(or can be set) correct referrer. I don't know that though.
0
 
InsoftserviceCommented:
hi,

Might be help full for u.
I had kept htaccess on mp3 folder and later authenticated for direct access .and while accessing it from our pages i had provided the authentication username and password. but below can be much more beneficial for u.

http://www.dialme.com/m/articles/view/How-to-Prevent-direct-access-to-files-and-folders
http://stackoverflow.com/questions/2234435/prevent-direct-access-to-files-with-htaccess
0
 
ravenplCommented:
If You put "http://www.mysite.com/music/album/track1.mp3" into urlbar, then the referer is empty - right. And Your rules are working only if referer is not empty.

Try
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
RewriteRule \.mp3$ - [F]

or even better
RewriteEngine on
RewriteCond %{HTTP_REFERER} !(www\.)?mysite\.com [NC]
RewriteRule \.mp3$ - [F]

Also mind that this is standard example of http://en.wikipedia.org/wiki/Security_by_obscurity which actually provides no security at all.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
stevaAuthor Commented:
revenpl,

Yes, leaving out the first condition lets it work.

Your last sentence suggests that this is really not going to provide any security. How would someone convince  Apache to not apply the mod_rewrite rules and offer up the file?

Steve
0
 
stevaAuthor Commented:
Actually, there's still a problem with the mod_rewrite.  While the code blocks direct accesses now, it also blocks local access from the same page. I change the Quick Time player with the code

document.Poets.SetURL('Alone_256kbps.mp3');

where Alone_256kbps.mp is on the same page as the player.  And this fails with the .htaccess file in the upper directory.  

Thanks again for your help.

Steve

0
 
ravenplCommented:
Well, but that's how it works - if You allow empty referrer then anybody from the internet is allowed(unless it's redirected from different webpage).

Can You set valid referrer to the player?
0
 
stevaAuthor Commented:
But the condition:

RewriteCond %{HTTP_REFERER} !(www\.)?mysite\.com [NC]

seems to say, "If not from my site, block it with the RewriteRule."  This local page request is from my site so the so the RewriteRule should not be applied.  I would expect the request from the page back to the server to contain an absolute URL with www.mysite.com, , , .  Am I not seeing this correctly?

I don't know how I would target just the player.  It sits in the HTML as an <object> element without its own URL.

0
 
stevaAuthor Commented:
The embedded  player is QuickTime.  

I gave you the points for all the answers you did give me.   I'll post another question to QuickTime area and maybe someone there will know how QuickTime requests the song from the server and how I can get that through a mod_rewrite rule.

Thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.