mod_rewrite not acting as I expect

I want to prevent mp3 files on my site from being downloaded directly by someone who has figured out the path to the files.  The path to track1 of "album" is:

                               http://www.mysite/music/album/track1.mp3

In the music directory I've added a .htaccess file that contains
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
RewriteRule \.mp3$ - [F]

Open in new window


My understanding of this code is that  if HTPP_REFERRER is not empty and is not  a page on my own site, any request that ends in .mp3 will be failed with a 403 error.

But this .htaccess file doesn't seem to protect anything.  I can still download an mp3 by placing

    http://www.mysite.com/music/album/track1.mp3

into a browser.

Does anyone see what the problem is?

Thanks for any ideas.

Steve
stevaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InsoftserviceCommented:
hi,

Might be help full for u.
I had kept htaccess on mp3 folder and later authenticated for direct access .and while accessing it from our pages i had provided the authentication username and password. but below can be much more beneficial for u.

http://www.dialme.com/m/articles/view/How-to-Prevent-direct-access-to-files-and-folders
http://stackoverflow.com/questions/2234435/prevent-direct-access-to-files-with-htaccess
ravenplCommented:
If You put "http://www.mysite.com/music/album/track1.mp3" into urlbar, then the referer is empty - right. And Your rules are working only if referer is not empty.

Try
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
RewriteRule \.mp3$ - [F]

or even better
RewriteEngine on
RewriteCond %{HTTP_REFERER} !(www\.)?mysite\.com [NC]
RewriteRule \.mp3$ - [F]

Also mind that this is standard example of http://en.wikipedia.org/wiki/Security_by_obscurity which actually provides no security at all.
stevaAuthor Commented:
revenpl,

Yes, leaving out the first condition lets it work.

Your last sentence suggests that this is really not going to provide any security. How would someone convince  Apache to not apply the mod_rewrite rules and offer up the file?

Steve
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

stevaAuthor Commented:
Actually, there's still a problem with the mod_rewrite.  While the code blocks direct accesses now, it also blocks local access from the same page. I change the Quick Time player with the code

document.Poets.SetURL('Alone_256kbps.mp3');

where Alone_256kbps.mp is on the same page as the player.  And this fails with the .htaccess file in the upper directory.  

Thanks again for your help.

Steve

ravenplCommented:
Well, but that's how it works - if You allow empty referrer then anybody from the internet is allowed(unless it's redirected from different webpage).

Can You set valid referrer to the player?
stevaAuthor Commented:
But the condition:

RewriteCond %{HTTP_REFERER} !(www\.)?mysite\.com [NC]

seems to say, "If not from my site, block it with the RewriteRule."  This local page request is from my site so the so the RewriteRule should not be applied.  I would expect the request from the page back to the server to contain an absolute URL with www.mysite.com, , , .  Am I not seeing this correctly?

I don't know how I would target just the player.  It sits in the HTML as an <object> element without its own URL.

ravenplCommented:
The problem is that the mp3 is accessed from the player rather than browser. Browser would surely set the correct referrer, while player is another application(flash?) embedded into the webpage. The Q is if the player sets(or can be set) correct referrer. I don't know that though.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevaAuthor Commented:
The embedded  player is QuickTime.  

I gave you the points for all the answers you did give me.   I'll post another question to QuickTime area and maybe someone there will know how QuickTime requests the song from the server and how I can get that through a mod_rewrite rule.

Thanks for the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.