• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 509
  • Last Modified:

htaccess rewrite to prevent direct file access

Hi,

I have a website, let's call it "www.somewhere.com"

This website has a directory called "orderuploads" into which people can upload files using my website.

These uploaded files must only be accessible by one URL   "www.somewhere.com/uploadorders.php"

Accessing the uploaded files directly like "www.somewhere.com/orderuploads/image.jpg" via a browser must be prevented.

From what I can gather, htaccess must be used with a rewrite but can someone please provide the necessary code?

Thanks in advance
0
kbit
Asked:
kbit
  • 5
  • 4
2 Solutions
 
Zephyr ICTCloud ArchitectCommented:
You can put the .htaccess file in the folder with following lines:

order deny,allow
deny from all

Open in new window


Or if you want to allow access to certain files:

<FilesMatch "\.(gif|jpe?g|png)$">
    Order Allow,Deny
    Allow from all 
    Satisfy Any
</FilesMatch>

Open in new window


You might need to play around with the order of "Allow,Deny" depending on the use.
"Order Deny,Allow" means that the deny rules are processed before the allow rules and vice versa.
0
 
kbitAuthor Commented:
Thanks for those suggestions.

I tried

order deny,allow
deny from all

Open in new window


and it nicely prevents the direct access but it also prevents the file being opened/downloaded via "www.somewhere.com/uploadorders.php". I need the latter
0
 
Zephyr ICTCloud ArchitectCommented:
Hmmm...

Since I can't test... Something like this maybe?

RewriteCond %{HTTP_HOST} ^xxx\.com$
RewriteRule ^$ http://www.xxx.com/index.php [R=301,L] 

RewriteCond %{HTTP_REFERER} !^http://(www\.)?xxx\.com/ [NC] 
RewriteRule ^_files/uploadorders/[^.]+\.(jpe?g|gif|bmp|png)$ - [F,NC]

Open in new window

0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
kbitAuthor Commented:
That allows the file to be accessed directly and also using the website
0
 
Zephyr ICTCloud ArchitectCommented:
It's difficult without testing, I'm not doing htaccess editing all time :-)

What if we take the first one again but amend it like this:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Open in new window


I'll keep scratching my brain.
0
 
kbitAuthor Commented:
Thanks for your help.

The more I think about it the more I think it might not be possible.

For example, there may not be any difference between accessing a file directly using a URL and accessing it through the website, they're still under a domain (127.0.0.1).

A better way might be for me to add an index file to the folder preventing file listings. Then when the files are being uploaded, disguise their names. So instead of "logo.jpg", use "logo_20130626125312.jpg" which would be yyyymmddhhmmss
0
 
Zephyr ICTCloud ArchitectCommented:
Another option might be to server the page through php and control it through there... Just thinking along.
0
 
kbitAuthor Commented:
Tough one, might be better to close this question and I'll run with the idea I mentioned?

Thanks for your suggestions though.
0
 
kbitAuthor Commented:
I only got two of the suggested ideas to work...one idea proposed by spravtek, one by me
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now