In the wordpress site I'm developing are my digital products stored in the uploads folder. I found out that this folder is publicly accessible when you know the url.
So when I enter http://my-site.com/wp-content/uploads I get a directory listing with all files exposed en simple to download. That is not what I want of course. I found a solution on the internet using this .htaccess code:
IndexIgnore *
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-site\.com/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx) [NC]
RewriteRule .*\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx)$ http://my-site.com
This works fine, everyone who is entering the url is redirected to the homepage.
Downloads of purchased goods are going fine to because the request is from within the site. However there is a logo file (used in the WooCommerce emails) which must be accessible. Right now the logo is not displayed in the emails because the system decide that it is not a request from within the site and the access is denied. Can I grant access to this file using an updated version of the code above and if yes what changes do I have to make? Please advice.
HTH from you soon.
First, you can disable directory listing in .htaccess by using Options -Indexes. For more information about it please refer to https://wiki.apache.org/httpd/DirectoryListings
Then, using the header Referer as a security measure can be dangerous as it can be easily changed.
You should consider replacing this part by a script which manage a kind of access-list to allow or deny the access to the original file (e.g. temporary key like on Amazon S3).
Related
I doubt even it is possible or not. I have a strange requirement by client so have to do.
I have a website that allow certain ips(ips are hard coded in .htaccess ). Client has provided me a url that have some ips listed in json format. I want that these ips should be allowed to access the website. (Ips listed on url are dynamic so i can't use them in .htaccess). Do anyone have idea how to achieve this.
I know i can use a php file(index) in htaccess and write code in it to read ips but the priority is to get it done by .htaccess file only.
Thanks in advance.
Need little bit help.
I have created rewriteMap in httpd file.
RewriteMap accessmap "txt:E:\htdocs\myfolder\map.txt"
My map.txt have follwing entries.
127.0.0.11 allow
127.0.0.1 allow
127.0.0.12 deny
These entries i am adding in htacces file
RewriteCond ${accessmap:%{REMOTE_ADDR}} allow [NC]
RewriteRule ^(.*)$ https://www.exampleweb.com/$1 [L,R=302]
Now, for example i have 127.0.0.1 in my map file as allow so it should be allowed to access the site. If i want to access site form any other ip like
130.0.0.11 (not in map file) it should be redirect to this link https://www.exampleweb.com .
I do not have much knowledge about htaccess to can't understand how to write
rewriteRule and rewrite condition for this. Please help.
Note: Ips are just for example, actual ips will be different for these.
Create a RewriteMap. Add below code in Apache configuration file (httpd.conf) or in your virtual host file.
RewriteMap accessmap "txt:file/path/to/map.txt"
NOTE: RewriteMap directive cannot be added in .htaccess file or inside Directory section. [Source: Using rewrite map]
Then in your .htaccess file add below code
RewriteCond ${accessmap:%{REMOTE_ADDR}} !^allow
RewriteRule ^(.)$ - [F,L]*
This will allow IP addresses listed in map.txt file having value allow to access your site. Otherwise, users will see 403 forbidden error.
.htaccess files are constantly read by Apache HTTPD server. You can be changing the specific Authorization directives in it according to your needs by a script or something else and the new auth directives will be applied instantly.
I have a blog with images. I do not want that the images are directly accessible through the URL (and also not for Googlebot and other bots)... for example... mysite.com/assets/images/img1... etc. So I thought to password protect the images directory with .htaccess. That worked, only front-end all my images became links, and I had to provide my credentials to make them show. How can I make my images show yet NOT make them directly accessible when typing the corresponding URL and the images URLs (or better yet the images directory) NOT accesible for bots to crawl/index?
Don't go with password protection. The right way to do it would be to filter the requests based on the referer URL. If the request originates from your own site then it's ok. Otherwise the request is trying to get an image directly.
I've found this site with detailed instructions on how to do that: http://altlab.com/htaccess_tutorial.html
Taken from the mentioned site:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://url_to_default_image.gif [L]
Note that you would have to enable mod_rewrite in your Apache server.
Btw, just asking. Why don't just let people get the image directly if they want to?
When a user creates a booking via this website, an invoice (pdf) will be generated and saved in assets/invoices. Only staff members will access these to download and email to the clients. However, at the moment if the exact URL is known by somebody they are able to access it whether they are logged in or not. I am trying to restrict access to these files for those logged into the CMS only. Is there a way to do that via some permissions module?
Is Secure Assets the module your after: https://github.com/silverstripe-labs/silverstripe-secureassets
With it you can set permission for Files/Folders "that mirrors the access restrictions of sitetree pages".
When I tried to achieve this through modules I was not getting any results. What I did to achieve this was adding a private folder in the assets directory, having all my secure files within this folder. I added a htaccess file within the private folder containing:
<IfModule mod_rewrite.c>
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
RewriteBase /
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !cookie_name=cookie_value; [NC]
RewriteRule ^ /page-not-found [NC,L]
This code checks for a specific cookie name and a specific cookie value, if this condition is not met it will redirect the user to the page-not-found url.
Within an extension to a booking system in the CMS I had present, I set the cookie. This cookie was then set upon logging into the CMS, if a user did not have this cookie they could not view any of the files/folders within the /assets/private directory.
I've made a module a while back to do this. https://github.com/colymba/ss-privateassets
You could try it or use it to write your own.
I am trying to write a .htaccess file for my website, which will prevent access to pages and images via direct URL input, but localhost requests will be granted. So far I've found this code after some googling:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com.*$ [NC]
RewriteRule \.(php|css|js|jpg)$ - [F]
The problem is my website images are protected all right, but when I want to access the index.php from a parent directory (the htaccess is in my subdirectory, not the parent), I am shown a 403 Forbidden error.
Now I am not really clear as to what these lines mean, or how to tweak them, so I can't tell right from wrong. Can someone help me out and tell what this actually does? Thanks!
Either your assets are accessible or they're not. You cannot serve assets to the public without serving them publicly. You probably think "from localhost" means if someone is "on your website" already; that's a wrong understanding of how the web works. Every asset is requested from the server via a URL, all requests come from clients. Requests do not come from "your local website".
If endusers must be able to see your assets, they must be able to access them via a URL, which means they'll also be able to see them when "inputting the URL directly". There's no technical difference there.
In my website, i want to restrict viewing certain files which are stored in a directory called "/content" such that only logged in users can view the files
as it stands right now anyone who types in xxxxxxx.com/content/4dc32b1c0a630.png into the browser can see this image file
I've added Options -Indexes to my .htaccess file but that didn't do anything
if it is helpful my site is built using codeigniter, so a PHP solution would be great, though I'd take any advice you might have!
thank you,
Tim
You can write a controller for that purpose.
In one of my projects I've done a resized pictures controller only for logged in users. It's based on timthumb script http://code.google.com/p/timthumb/
In controller __contruct(); write user authentification code and that's all!
So you will call these files via controller, like http://www.site.com/images/1314.png
Use mod_rewrite to rewrite any accesses to anything in /content to a PHP script that will auth the user and then provide the file, either directly or via mod_xsendfile.
Put these lines in your root .htacess file to block access to content/4dc32b1c0a630.png for unauthenticated users:
Options +FollowSymlinks -MultiViews
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^$
RewriteRule ^content/4dc32b1c0a630\.png/?$ - [R=403,L]
However I would suggest you use wild cards (if possible) to match blocked files above rather than listing each and every individual file.