Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

deny public download of files using htaccess

Posted on 2014-03-16
2
Medium Priority
?
327 Views
Last Modified: 2014-03-18
Hi all,

We have a wiki app that uses apache authentication. On some pages there are files that can be downloaded. Some of them are pdf files, some excel or word. We only want to allow users that are logged on to have access to download these files. If someone who isnt logged on tries to directly access a link to download one of these files we want that blocked.

I believe I can use a referrer check and deny access to download these files unless the users is coming from within the site

So if our site is https://thewiki.com I could believe I can deny this way:

RewriteCond %{REQUEST_FILENAME} \.(xls|xlsx|psd|7z|zip|doc|docx)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(?:www\.)?thewiki\.com(?:/|$) [NC]
RewriteCond %{HTTP_REFERER} !^https://(?:www\.)?thewiki\.com(?:/|$) [NC]
RewriteRule .* - [F]

If the above works do I need to put it in the folder where the uploaded files reside or the main root htaccess file?

Lastly I was thinking it might even be better to simply deny all access unless the user is authenticated. Our wiki uses apache authentication. So could I deny this way?

Order deny,allow
Deny from all
authenticated-only ?
0
Comment
Question by:binovpd
2 Comments
 
LVL 26

Accepted Solution

by:
arober11 earned 2000 total points
ID: 39937870
Personally i'd go for the latter method, but you'll need access to the httpd.conf. Also note the vital directive is Require valid-user not authenticated-only

<Directory "/srv/www/xxxxxxxx/wiki">
  Options FollowSymLinks Indexes MultiViews
  AuthType Basic
  AuthName "Registered wiki users Only"
....
  Require valid-user
....
  AllowOverride All
  Order allow,deny
  Allow from all
</Directory>

Open in new window

0
 

Author Comment

by:binovpd
ID: 39937938
Thanks arober11. I finally figured it out. Your answer is exactly what I did so I'll reward you the points.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Suggested Courses
Course of the Month12 days, 5 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question