In a web application to transform images I want to deny direct access to other user's images and I've achieve it adding this code at my main .htaccess file:
RewriteCond %{HTTP_COOKIE} !PHPSESSID=(.+) [OR,NC]
RewriteCond %{HTTP_COOKIE}:%{REQUEST_URI} ^PHPSESSID=(.*?);:(?!.*?/usuarios/\1).* [NC]
RewriteRule ^.*?/usuarios/.+?\.(gif|jpe?g|png|wbmp)$ - [R=403,L]
So, as users have their own folder to upload and transform images, this rule will check if you are looking for an image which directory matches with your id_session, and will throw a 403 response if it doesn't match.
It seems to work fine, but if any user attach an image and change the scr with other user's image (assuming he knows the path), it is showing that image.
How could I prevent it?
You can check at http://itransformer.es
As says #David Houde, such logic should be implemented in the application, for instance in the following way:
The images uploaded by your users will be stored outside of the web
site root directory, so they cannot be accessed directly using a URL,
You need to setup your website to handle virtual URLs (the most simple
here being a rewrite rule internally passing the request URL as
parameter to some PHP (or whatever) script),
Then, in your script you will have full latitude to check whether
the request match your policy,
And if the request is legitimate, your script will be able to open
the requested image file and send its content as web server answer.
Related
I know there are a lot of similar questions out there, and I've trawled them all, but I can't seem to get any of the solutions to work.
I have a folder on the root of my website containing uploaded files that can be viewed and downloaded from the site when a user is logged in. They are here: https://example.com/uploads (for example). I need the site to continue to be able to access them to display them (some are images) and provide links for download (pdfs etc) so the user can download them, but I want to avoid anyone who get's hold of the url of a particular file being able to download them directly, like this: https://example.com/uploads/2020/02/myfile.pdf. OR these urls getting into search engines (or if they do, the server prevents them from being accessed directly.
I've tried adding an .htaccess file in the uploads directory with the following content:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
And I've tried
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
...as I read that might allow HTTPS calls from the site itself as well as local urls.
But it forbids the site and a direct url request, which is no good.
Is there a way to do this?
The user interface that provides the ‘official’ access to the files has user authentication, yes, but the files still exist in a directory than won’t stop anyone getting to them if they know the url.
You need to protect the files using the same authentication system that you are using to protect access to the user interface. The only way you could protect these resources by IP address (the client IP address) - as you are currently attempting in .htaccess - is if the client's IP is fixed and known in advance (but if this was the case then you wouldn't need another form of authentication to begin with).
So, this will primarily be an exercise in whatever scripting language/CMS is being used to authenticate the "user interface".
What you can use .htaccess for is to rewrite requests for these files to your server-side script that handles the authentication and then serves the file to the client once authenticated.
For example:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^uploads/. /serve-protected-file.php [L]
Any request for /uploads/<something> (eg. /uploads/2020/02/myfile.pdf), that maps to a valid file is routed to your script: /serve-protected-file.php.
/serve-protected-file.php would then need to do something like the following:
// 1. Parse the file being requested from REQUEST_URI
// 2. Is the requested file "protected"?
// (Serving both protected and public files from the same directory?)
// 3. If not protected then serve/stream the resource to the client. END
// 4. If protected then authenticate the user...
// 5. If user authenticated then serve/stream the resource to the client. END
// 6. Resource is protected and user not authenticated...
// Serve a 403 Forbidden. END
(Ideally, the location of these "protected" resources would be entirely outside of the document root - so they are "private" by default - and the URL the user uses to access these resources is entirely virtual - then you probably wouldn't need any additional coding in .htaccess and everything would be implemented by your front-controller - but that all depends on how your site is implemented and the way in which URLs are routed.)
How can i redirect video streams to another domain using htaccess? I am building a application where i can customize m3u playlists containing movies, series and live tv. I am writing a xtream-codes api emulator, so basically i am returning a different playlist (minimized / edited) - but i want the htaccess to redirect the streams request to the origin.
The playlist / api urls look like:
/player_api.php?username=user&pass=pass&action=get_live_categories
The stream url's look like:
/user/pass/streamid.ts
I tried redirecting with php, but this is not the way to go. I also tried to do a redirect on dns level - but thats not good because i can only redirect a complete domain / subdomain
RewriteEngine On
RewriteCond %{HTTP_HOST} ^([-a-zA-Z0-9]+)\.iptv-manager\.xxx$ [NC]
RewriteRule ^((?!index\.php$).*)$ http://player-api.iptv-manager.xxx/index.php?subdomain=%1&route=$1 [QSA,P]
The above code routes any subdomain (wildcard) and route, which is then processed by the php code. But i cant seem to route the video streams through php.
[edit]
As a little bit more explanation of what i am trying to build: Im trying to create a alternative for the Xtream-Editor online playlist editor. Because of the way Xtream-Codes api works - it will get the base url (player_api) and use that with the stream-id's it gets to build a stream url;
As i want to be able to let users not only edit their m3u list, but also provide a customized list in xtream codes api players - if i set the providers host in the initial call to my player_api, it will load the streams and categories from the provider - and not the modified list the user wants to load.
So im not trying to resell streams under a different name - i already made a m3u editor that is widely used, but it is windows based, and requires users to manually update the list when the provider changes their streams.
You need to get it done via php, .htaccess redirect only works for complete domain So use your .htaccess to redirect to php.
.htacess
RewriteRule ^live/(.*)/(.*)/(.*)$ yourphp.php?u=$1&p=$2&c=$3 [L,NE]
RewriteRule ^(.*)/(.*)/(.*)$ yourphp.php?u=$1&p=$2&c=$3 [L,NE]
php files
<?php
$c = str_replace (".ts","",$_GET['c']);
header("location: http://244.117.154.34:25461/".$c.".ch?u=".$_GET['u'].":p=".$_GET['p']."",false, 307);
That what you do to redirect xc to m3u or json to m3u
I wanna set up an download page.
I need to access those pages only through a login page and stop all the direct access to the download page path and also its files and again if anyone tries to access those pages directly then it should automatically redirect to login page itself or else at least with a 404 error.
How can I do all these in .htaccess file. It will be very much helpful in developing my website.
Thanks in advance
Assuming that your all of your downloads are inside of a downloads directory, something like this should do the trick.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?your.site.*
RewriteRule ^downloads\/?.* http://your.site/login [R=302,L]
Alternatively (and ideally) you should instead keep the pages outside of the site's root directory and download them through a proxy page.
I have several audio files that I don't want to allow anyone else to gain access to them. Each file is in a separate folder inside a main folder, that I'll call "download" for now. So "download" has several other directories, and inside each directory are audio files. Those audio files are played with in a web app on the system.
The problem is that right now anyone can type in the full address of the file localhost/download/dir/sound.wav and play the audio file. This is what I want to prevent from happening, I want those files to only stream when they are access or streamed from our application.
I tried the following on the .htaccess file
deny from all
This just returned an 403 forbidden page, but i was unable to stream the file from within the application
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)localhost.com/.*$ [NC]
RewriteRule \.(mp3|wav)$ - [F]
This just disabled the stream all together did not return a 403 or anything it just did not stream from neither the application or direct access
Finally I'm using AJAX to call the script that holds the files to be streamed; are there any options I can use?
It is impossible to prevent the user from accessing those files
In order to hear them they have to be downloaded to the user's computer and that means that they have to be accessible!
The best you can do is encrypt the files and decrypt them in the player. But even then the player could be reverse-engineered and someone could discover the encryption key and algorithm. In the end you gonna find out that you just wasted a whole lot of processing time and in fact slowed down your application!
There is just one problem: how is server supposed to detect who has requested your media - application or some other system, just using similar protocol?
But if you just want to prevent simplest http request to you media, you could involve some token exchange system, e.g. your application sends request for media in certain format, server sends token for accessing certain file, and then your application may access special (say php) script supplying it with token, script returns your sound stream. This way, media can be forbidden to be accessed from outside world and only will be accessed by you own server-side php script.
Then in order to gain access to media file user would need to know your existing token or your exchange protocol which eliminates random users accessing your media at will. However, as you have been told before there is probably no way to protect against 'educated users'.
One possibility would be to:
Add an apache rewrite directive on that download folder to route all requests to a php script instead that takes the file requested as a parameter.
Create this script (say sound.php) in your application which takes that file path as a get parameter. This script can output the correct http headers to indicate that the type of data is wav or whatever you want. Then check some cookies or a token or similar, and output the content of the restricted file directly (see readfile) only if the user is valid.
Is is possible to secure a directory on Apache with a custom form? I have a directory full of static HTML files, it is basically a full static site. I want to secure this site with a password.
I know I can use .htaccess but I would much rather have a custom form/database to secure the site. I know how to code in PHP well enough to create the form, database and do the authentication. What I don't know is how to tell Apache to redirect to that form if the user is not authenticated.
UPDATE: I would be fine using other authentication modules. I'm looking for a system similar to IIS Forms authentication. If the user is not logged in, visiting any file in the directory will redirect to a login form. Once logged in they can view any of the files in the directory.
Pseudocode follows:
if user authenticated:
read a file and output into browser (or return 404)
else:
show the form
end
The following .htaccess will rewrite every request to .html files into index.php:
RewriteEngine on
RewriteCond %{REQUEST_URI} \.html$
RewriteRule \.html$ /index.php [QSA,L]
You'll find the requested .html filename in $_SERVER['REDIRECT_URL'].
(Most of known PHP frameworks uses this or similar approach. There isn't anything fancy in this.)