[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

htaccess rewrite to prevent direct file access

Posted on 2013-06-26
9
Medium Priority
?
488 Views
Last Modified: 2013-09-11
Hi,

I have a website, let's call it "www.somewhere.com"

This website has a directory called "orderuploads" into which people can upload files using my website.

These uploaded files must only be accessible by one URL   "www.somewhere.com/uploadorders.php"

Accessing the uploaded files directly like "www.somewhere.com/orderuploads/image.jpg" via a browser must be prevented.

From what I can gather, htaccess must be used with a rewrite but can someone please provide the necessary code?

Thanks in advance
0
Comment
Question by:kbit
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39277542
You can put the .htaccess file in the folder with following lines:

order deny,allow
deny from all

Open in new window


Or if you want to allow access to certain files:

<FilesMatch "\.(gif|jpe?g|png)$">
    Order Allow,Deny
    Allow from all 
    Satisfy Any
</FilesMatch>

Open in new window


You might need to play around with the order of "Allow,Deny" depending on the use.
"Order Deny,Allow" means that the deny rules are processed before the allow rules and vice versa.
0
 

Author Comment

by:kbit
ID: 39277565
Thanks for those suggestions.

I tried

order deny,allow
deny from all

Open in new window


and it nicely prevents the direct access but it also prevents the file being opened/downloaded via "www.somewhere.com/uploadorders.php". I need the latter
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39277590
Hmmm...

Since I can't test... Something like this maybe?

RewriteCond %{HTTP_HOST} ^xxx\.com$
RewriteRule ^$ http://www.xxx.com/index.php [R=301,L] 

RewriteCond %{HTTP_REFERER} !^http://(www\.)?xxx\.com/ [NC] 
RewriteRule ^_files/uploadorders/[^.]+\.(jpe?g|gif|bmp|png)$ - [F,NC]

Open in new window

0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:kbit
ID: 39277607
That allows the file to be accessed directly and also using the website
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39277646
It's difficult without testing, I'm not doing htaccess editing all time :-)

What if we take the first one again but amend it like this:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Open in new window


I'll keep scratching my brain.
0
 

Author Comment

by:kbit
ID: 39277708
Thanks for your help.

The more I think about it the more I think it might not be possible.

For example, there may not be any difference between accessing a file directly using a URL and accessing it through the website, they're still under a domain (127.0.0.1).

A better way might be for me to add an index file to the folder preventing file listings. Then when the files are being uploaded, disguise their names. So instead of "logo.jpg", use "logo_20130626125312.jpg" which would be yyyymmddhhmmss
0
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 2000 total points
ID: 39277806
Another option might be to server the page through php and control it through there... Just thinking along.
0
 

Assisted Solution

by:kbit
kbit earned 0 total points
ID: 39287983
Tough one, might be better to close this question and I'll run with the idea I mentioned?

Thanks for your suggestions though.
0
 

Author Closing Comment

by:kbit
ID: 39482512
I only got two of the suggested ideas to work...one idea proposed by spravtek, one by me
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 12 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question