Solved

deny public download of files using htaccess

Posted on 2014-03-16
2
323 Views
Last Modified: 2014-03-18
Hi all,

We have a wiki app that uses apache authentication. On some pages there are files that can be downloaded. Some of them are pdf files, some excel or word. We only want to allow users that are logged on to have access to download these files. If someone who isnt logged on tries to directly access a link to download one of these files we want that blocked.

I believe I can use a referrer check and deny access to download these files unless the users is coming from within the site

So if our site is https://thewiki.com I could believe I can deny this way:

RewriteCond %{REQUEST_FILENAME} \.(xls|xlsx|psd|7z|zip|doc|docx)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(?:www\.)?thewiki\.com(?:/|$) [NC]
RewriteCond %{HTTP_REFERER} !^https://(?:www\.)?thewiki\.com(?:/|$) [NC]
RewriteRule .* - [F]

If the above works do I need to put it in the folder where the uploaded files reside or the main root htaccess file?

Lastly I was thinking it might even be better to simply deny all access unless the user is authenticated. Our wiki uses apache authentication. So could I deny this way?

Order deny,allow
Deny from all
authenticated-only ?
0
Comment
Question by:binovpd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 26

Accepted Solution

by:
arober11 earned 500 total points
ID: 39937870
Personally i'd go for the latter method, but you'll need access to the httpd.conf. Also note the vital directive is Require valid-user not authenticated-only

<Directory "/srv/www/xxxxxxxx/wiki">
  Options FollowSymLinks Indexes MultiViews
  AuthType Basic
  AuthName "Registered wiki users Only"
....
  Require valid-user
....
  AllowOverride All
  Order allow,deny
  Allow from all
</Directory>

Open in new window

0
 

Author Comment

by:binovpd
ID: 39937938
Thanks arober11. I finally figured it out. Your answer is exactly what I did so I'll reward you the points.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question