Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 333
  • Last Modified:

deny public download of files using htaccess

Hi all,

We have a wiki app that uses apache authentication. On some pages there are files that can be downloaded. Some of them are pdf files, some excel or word. We only want to allow users that are logged on to have access to download these files. If someone who isnt logged on tries to directly access a link to download one of these files we want that blocked.

I believe I can use a referrer check and deny access to download these files unless the users is coming from within the site

So if our site is https://thewiki.com I could believe I can deny this way:

RewriteCond %{REQUEST_FILENAME} \.(xls|xlsx|psd|7z|zip|doc|docx)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(?:www\.)?thewiki\.com(?:/|$) [NC]
RewriteCond %{HTTP_REFERER} !^https://(?:www\.)?thewiki\.com(?:/|$) [NC]
RewriteRule .* - [F]

If the above works do I need to put it in the folder where the uploaded files reside or the main root htaccess file?

Lastly I was thinking it might even be better to simply deny all access unless the user is authenticated. Our wiki uses apache authentication. So could I deny this way?

Order deny,allow
Deny from all
authenticated-only ?
0
binovpd
Asked:
binovpd
1 Solution
 
arober11Commented:
Personally i'd go for the latter method, but you'll need access to the httpd.conf. Also note the vital directive is Require valid-user not authenticated-only

<Directory "/srv/www/xxxxxxxx/wiki">
  Options FollowSymLinks Indexes MultiViews
  AuthType Basic
  AuthName "Registered wiki users Only"
....
  Require valid-user
....
  AllowOverride All
  Order allow,deny
  Allow from all
</Directory>

Open in new window

0
 
binovpdAuthor Commented:
Thanks arober11. I finally figured it out. Your answer is exactly what I did so I'll reward you the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now