apache blocking content from viewing users by hitting url directly - apache

I have disabled the browsing of content by using
Options -Indexes
Now I want to disable directly access of assets(images and videos) by hitting url directly for any project that is present in htdocs folder.
My webserver is Apache Tomcat.
I am accessing the content from a project in apache using a url.
The URL should serve the content in JSP/HTML files deployed in Apache Tomcat. But should be blocked if hacker finds the URL from page source and put the URL in browser.
Thanks in advance.

you have two solutions
1) create a .htacess file and set rules
2) store your protected file somewhere outside the web root folder and acess them using php or any other language.
2nd one is recommended. you can only access your files through server side codes(php,...). Crete a file handling script and check permissions when accessing.
To go with .htaccess file you need to have something like..
Try following:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]
Returns 403 if you access image directly, but allows them to be displayed on site.
Change localhost to the server/domain name of yours.
NOTE: it is possible that when you open some page with image and than copy that image's path into the address bar you can see that image, it is only because of the browser's cache, in fact that image has not been loaded from the server

Related

Specify to load index.html file for every request in apache config file

I have a React application hosted on my server and I need to always load index.html file for every request users make.
Let's say that I have a website that has the address xyz.com, and the root directory contains the React build files, including this index.html file. There are many routes that users can specify to access to certain parts of the website, for example to register on the website they can access xyz.com/register. So, what I want to accomplish is instruct server to always serve this index.html every time users access my site, even though they are visiting different routes of the website.
So I'm assuming that this is something that I can set up in the .conf file for the website, and if it is, can you please let me know how I can achieve it?
You can use the below rewrite rule.
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/index.html$
RewriteRule .* /index.html [L,R=302]

What are ways to block direct access to files on apache but allow them through scripts?

If I type in the direct path to any of the content in my server directory I can see and download the file without being logged in. (example I have a directory foo with a file bar.jpg in it. If I type into the search bar "ip:port/foo/bar.jpg I can see the picture without needing to go through the pages I created). I know it would be difficult to access but if it can happen it eventually will. Is there a way that allows my php script to access files and display them in a webpage but not allow any direct access to the content on my server when typed in? I have tried .htaccess files and directly altering the server config in apache, my access looks like this:
<Directory "C:\xampp\htdocs\RootFolder\Login System">
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?Family [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
</Directory>
The problem here is that it randomly blocks some images in my page while allowing others through:
GET http://localhost/Family/IMG_2436.jpg 403 (Forbidden)
I have been bashing my head in trying to get this to work so that if someone types in a direct link they get an access denied while accessing through my php page would just show the picture or file. Is there any way to do this? ps I'm using a windows base

Simple url masking via htaccess doesn't work

i'm trying to achieve the following:
I have domain.it and domain.fr
domain.it contains a website localized in multiple languages, so for example if you go to www.domain.it/fr/somecontent.php it shows that content in french language. This works. This website is hosted on a dedicated server.
In domain.fr i have an empty space with only an .htaccess. What i want is that when the user go to www.domain.fr/somecontent.php the browser shows the content from www.domain.it/fr/somecontent.php but keeping www.domain.fr/somecontent.php in the URL. So basically www.domain.fr/* should show the content from www.domain.it/fr/* but keeping www.domain.fr/* in the browser address bar.
Using an iframe is not an option because is not good for the SEO.
I'm using the following code inside the .htaccess on domain.fr (which is hosted on an OVH shared hosting):
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.domain.fr$
RewriteRule ^(.*) https://www.domain.it/fr/$1 [P]
But when i open www.domain.fr or www.domain.fr/somecontent.php in the browser it says "Forbidden: You don't have permission to access /somecontent.php on this server."
Instead, if i place [L] or [L,R=302] in place of the [P] in the last line of .htaccess, it correctly redirect to the www.domain.it/fr/somecontent.php showing it contents, but it shows the destination url (the it domain) in the browser bar.
So i think the rules are correct, but for some reason when i use the [P] flag which as far as i know is needed to mask the url, it doesn't work.
Have you any clues ?
Thank you!

https before address shows only files in private_html folder on host

when i try my webpage address with https, page shows only files in the private_html folder not public_html.
but my website runs in the public_html. for example i use an index.html file (including forwarder script) and when you type https://alirezah.net it redirects to http://alirezah.net.
how can i fix it? I wanna use cloudflare ssl service but this happens.
I tried to edit htaccess but it doesn't help
If your website is hosted on Directadmin, then follow these steps:
Log in to your DirectAdmin control panel
Click on Domain Setup
Click on the domain name you wish to change this for
Choose the Use a symbolic link from private_html to public_html - allows for same data in http and https checkbox.
Note the warning message - anything in private_html will be removed, so be sure you do not have content left here that you want to keep.
Accept the warning notice and your now pointing you are private_html directory to the public_html directory.
If your website is installed in private_html it will be deleted using this function. If you want to keep your website installed in private html and also redirect http to https, then you need to create a .htaccess file in public_html with the following contents:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule .* https://example.com/%{REQUEST_URI} [R,L]

read images from root directory in subdomain with htaccess

I have a domain like example.com where root directory is web.
I have created a subdomain happy.example.com where directory is outside web folder called happy and connected it to happy.example.com.
My webpage tree looks like
happy
web/images
So all my images for root directory are stored in (web/images)
example.com/images
So a full path to an image can be
example.com/images/me.png
Now i have created a sudbdomain which i call:
happy.example.com
What i would like to do is if i type
happy.example.com/images/me.png
then i should be able to see the picture.
So somehow i need to link all images folder to a subdomain from root directory in web.
I hope you guys got my question.
I guess i shoud have an htaccess file with all funny stuff in happy folder?
Cheerz
Since the two document roots of your two domains aren't connect to each other (one inside the other, or the same), you'll need to either redirect or proxy, or, use a script.
To redirect is easiest, but it'll change the URL in the browser's location bar:
Redirect 301 /images http://example.com/images
or using mod_rewrite:
RewriteEngine On
RewriteRule ^images/(.*)$ http://example.com/images/$1 [L,R=301]
To proxy, you need to have mod_proxy loaded, which isn't always the case if you're using a webhost or hosting service. But you can use the P flag in mod_rewrite to do this:
RewriteEngine On
RewriteRule ^images/(.*)$ http://example.com/images/$1 [L,P]
The last option is to route all image request to a script, like a php script or something. And the script itself returns the image:
RewriteEngine On
RewriteRule ^images/(.*)$ /load_image.php?image=$1 [L]
then you'd have something like:
<?php
header("Content-type: image/jpeg");
readfile('../web/images/' . $_GET['image']);
?>
Obviously, you'd need to check the extension and return the correct content type depending on the image type.