?
Solved

mod_rewrite not acting as I expect

Posted on 2011-10-04
8
Medium Priority
?
213 Views
Last Modified: 2012-05-12
I want to prevent mp3 files on my site from being downloaded directly by someone who has figured out the path to the files.  The path to track1 of "album" is:

                               http://www.mysite/music/album/track1.mp3

In the music directory I've added a .htaccess file that contains
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
RewriteRule \.mp3$ - [F]

Open in new window


My understanding of this code is that  if HTPP_REFERRER is not empty and is not  a page on my own site, any request that ends in .mp3 will be failed with a 403 error.

But this .htaccess file doesn't seem to protect anything.  I can still download an mp3 by placing

    http://www.mysite.com/music/album/track1.mp3

into a browser.

Does anyone see what the problem is?

Thanks for any ideas.

Steve
0
Comment
Question by:steva
  • 4
  • 3
8 Comments
 
LVL 15

Expert Comment

by:Insoftservice
ID: 36914939
hi,

Might be help full for u.
I had kept htaccess on mp3 folder and later authenticated for direct access .and while accessing it from our pages i had provided the authentication username and password. but below can be much more beneficial for u.

http://www.dialme.com/m/articles/view/How-to-Prevent-direct-access-to-files-and-folders
http://stackoverflow.com/questions/2234435/prevent-direct-access-to-files-with-htaccess
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 36918705
If You put "http://www.mysite.com/music/album/track1.mp3" into urlbar, then the referer is empty - right. And Your rules are working only if referer is not empty.

Try
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
RewriteRule \.mp3$ - [F]

or even better
RewriteEngine on
RewriteCond %{HTTP_REFERER} !(www\.)?mysite\.com [NC]
RewriteRule \.mp3$ - [F]

Also mind that this is standard example of http://en.wikipedia.org/wiki/Security_by_obscurity which actually provides no security at all.
0
 

Author Comment

by:steva
ID: 36921668
revenpl,

Yes, leaving out the first condition lets it work.

Your last sentence suggests that this is really not going to provide any security. How would someone convince  Apache to not apply the mod_rewrite rules and offer up the file?

Steve
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:steva
ID: 36921732
Actually, there's still a problem with the mod_rewrite.  While the code blocks direct accesses now, it also blocks local access from the same page. I change the Quick Time player with the code

document.Poets.SetURL('Alone_256kbps.mp3');

where Alone_256kbps.mp is on the same page as the player.  And this fails with the .htaccess file in the upper directory.  

Thanks again for your help.

Steve

0
 
LVL 43

Expert Comment

by:ravenpl
ID: 36922692
Well, but that's how it works - if You allow empty referrer then anybody from the internet is allowed(unless it's redirected from different webpage).

Can You set valid referrer to the player?
0
 

Author Comment

by:steva
ID: 36924130
But the condition:

RewriteCond %{HTTP_REFERER} !(www\.)?mysite\.com [NC]

seems to say, "If not from my site, block it with the RewriteRule."  This local page request is from my site so the so the RewriteRule should not be applied.  I would expect the request from the page back to the server to contain an absolute URL with www.mysite.com, , , .  Am I not seeing this correctly?

I don't know how I would target just the player.  It sits in the HTML as an <object> element without its own URL.

0
 
LVL 43

Accepted Solution

by:
ravenpl earned 2000 total points
ID: 36924673
The problem is that the mp3 is accessed from the player rather than browser. Browser would surely set the correct referrer, while player is another application(flash?) embedded into the webpage. The Q is if the player sets(or can be set) correct referrer. I don't know that though.
0
 

Author Comment

by:steva
ID: 36926193
The embedded  player is QuickTime.  

I gave you the points for all the answers you did give me.   I'll post another question to QuickTime area and maybe someone there will know how QuickTime requests the song from the server and how I can get that through a mod_rewrite rule.

Thanks for the help.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month15 days, 20 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question