I'm using a membership script to allow access to private files by a group of people. The problem is anyone who knows the link to the files can easily bypass the membership script and have direct access to the files. My goal is to prevent direct URL access through http://domain.com/folder1/folder2/index.php and to only accept access from http://domain.com/folder1/file_with_link_to_index.php. The membership script is useless unless I can prevent people typing in the url to the file locations.
I'm having a hard time even beginning to understand Apache but what I was attempting to do was to use "Deny All" and then "Allow from http://folder1/file_with_link_to_index.php." so that access to the files could only be access through the "file_with_link~" only. It didn't work. I was still able to paste the url to the files into the browser and access the directory.
I found similar questions on StackO but not enough experience to understand and actually take the little pieces that were similar to my problem and actually use them. It's probably something simple but I'm so frustrated with trying to figure this out that I can't see it.
Here's a quick example of what I was trying to use:
deny all except those indicated here
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.345.67.890
allow from http://domain.com/fold1/LINKING_FILE/program_index.php
</Limit>
I'm pretty sure I'm failing on the way the domain is supposed to be written and maybe that's why it's not working?
I would use another approach to this than by htaccess. Put the files in a directory unreachable for the public web, then use your membership php script to retrieve them.
jTheMan was right. There was a better way of tackling this using PHP. My fix for my problem is below just in case it's useful to anyone else. The only awesome addition would be to make the code below allow direct URL access from just one IP, like my own :0)
I added the following file to the "head" or "index" or to the very top of the page that was called first in each application:
//Begin refuse direct URL Connections
$refering=parse_url($_SERVER['HTTP_REFERER']);
if($refering['host']==$_SERVER['HTTP_HOST']){
echo "";
} else {
header("Location: http://www.yourdomain.com");
exit();
}
//End refuse direct URL Connections
Thank you!
Related
I'm creating a very simple login system where my php code stores and reads file names(account name) and content(password) but anyone could simply just navigate to that folder and read whatever. so what i want is that a folder gets "locked" from any connections, and still read / write to it with php. i use xampp to host, if it has any relevance
is this possible? if not, are there other simple ways of storing / reading account password and name?
found my solution, by putting
order deny,allow
deny from all
inside .htaccess in the folder i want private
I want to know if my Apache server uses .htaccess files or not. If it uses them, then why and how?
How can I know if my Apache server is using .htaccess or not?
Thank you.
As for why, it's a convenient way for shared-hosting providers to give some access to users who would like to set some configuration options. You obviously wouldn't want everyone to have access to the main configuration file for security purposes. It's also useful for development purposes since you can set different options for different directories.
As for how Apache uses the file, I recommend reading the documentation.
As for how to know if Apache is using .htaccess files, it most likely is. I've yet to meet a shared hosting provider that doesn't. And if you are running your own server, I assume you would know how you set it up. Worst case scenario, you could follow this advice from the docs:
A good test for this is to put garbage in your .htaccess file and reload the page. If a server error is not generated, then you almost certainly have AllowOverride None in effect.
I know it's a bit of a beginner question but tried several combinations and none work... here's what i need to achieve using .htaccess and .htpasswd
I have a www.mysite.com/protected folder.
By default, all ip's shouldn't see this folder and any other files inside it exists (basically they should be redirected to www.mysite.com)
A certain IP (my external IP M.M.M.M) should be able to access that protected folder and be requested a username and password
All ip's should be able to see some files inside the folder without being asked for password (www.mysite.com/protected/file1 and www.mysite.com/protected/file2)
I know the latter rule opens an exception on the first but that's how i need it (a general rule denying all and then whitelisting some files)
Thanks in advance for any help, been struggling with this for a bit now :(
I have a directory on my website specifically for javascript files, I want these javascript files to be hidden, so if I type the url to it it says Forbidden or disallows access, but my front-end website files can still access them to execute them when needed. Is there a way to do this through a FTP client?
Cheers,
Dan
You can't do this trough a ftp client. It is the task of your webserver to forbid access to certain files.
If you change permission, the webserver won't have access to them anymore, so this is not the way to go.
You must configure your webserver to restrict the access. If you're using Apache, you can use an .htaccess file. There's different ways of doing this, many depends on the way the webserver is configured.
The easiest is to put an .htaccess file in your Scripts folder which contain only this none line :
deny from all
However, like peeter said, there's a good chance this will break your site, since the browser must access theses files, so you can't restrict access.
Put a htaccess file in your scripts folder containing deny from all, but this will stop your pages from accessing the scripts also (though not if you pass them through the PHP engine first)
You're trying to hide JavaScript files that are executed on the clients side. If a client(browser) cannot access the files means non of your javascript code is executed.
If I understood your question correctly then you cannot achieve what you're trying to achieve.
If I allow user to upload file, after user uploaded the file, the file will go to
wwww.someplace.com/public_file/... ....
So, everybody can get access the file. But I would like to make some restrictions on that. For example, I want to reduce the downloading speed for non-login users. How can I do that? Also, if I want to limit the user to get the files if he/she don't have a user right... ... For example, if some user upload to
wwww.someplace.com/secret_place/... ...
Only the user have some rights, can get access to this place... ...How can I do that? Should I do this in the web application and the Apache Server config too? Thank you.
For users you can split this between Apache and your application as I know most servers support using a database for authentication; Apache certainly supports many methods of authentication, you should find some useful info here:
http://httpd.apache.org/docs/current/howto/auth.html
One thing to note is that if you were to do this exclusively in the application then it would be easily by-passable. You can restrict the download speeds for non-logged in users using traffic shaping.
let’s consider that we want to deny access to all files with the extension .inc. In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
Order allow,deny
Deny from all
Similar to this we can deny access to whatever files we might need…