Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

deny public download of files using htaccess

Posted on 2014-03-16
2
Medium Priority
?
326 Views
Last Modified: 2014-03-18
Hi all,

We have a wiki app that uses apache authentication. On some pages there are files that can be downloaded. Some of them are pdf files, some excel or word. We only want to allow users that are logged on to have access to download these files. If someone who isnt logged on tries to directly access a link to download one of these files we want that blocked.

I believe I can use a referrer check and deny access to download these files unless the users is coming from within the site

So if our site is https://thewiki.com I could believe I can deny this way:

RewriteCond %{REQUEST_FILENAME} \.(xls|xlsx|psd|7z|zip|doc|docx)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(?:www\.)?thewiki\.com(?:/|$) [NC]
RewriteCond %{HTTP_REFERER} !^https://(?:www\.)?thewiki\.com(?:/|$) [NC]
RewriteRule .* - [F]

If the above works do I need to put it in the folder where the uploaded files reside or the main root htaccess file?

Lastly I was thinking it might even be better to simply deny all access unless the user is authenticated. Our wiki uses apache authentication. So could I deny this way?

Order deny,allow
Deny from all
authenticated-only ?
0
Comment
Question by:binovpd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 26

Accepted Solution

by:
arober11 earned 2000 total points
ID: 39937870
Personally i'd go for the latter method, but you'll need access to the httpd.conf. Also note the vital directive is Require valid-user not authenticated-only

<Directory "/srv/www/xxxxxxxx/wiki">
  Options FollowSymLinks Indexes MultiViews
  AuthType Basic
  AuthName "Registered wiki users Only"
....
  Require valid-user
....
  AllowOverride All
  Order allow,deny
  Allow from all
</Directory>

Open in new window

0
 

Author Comment

by:binovpd
ID: 39937938
Thanks arober11. I finally figured it out. Your answer is exactly what I did so I'll reward you the points.
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question