I have mp3's in a directory called /mp3/ and I want to be able to access them only from another page.php in another directory /main/ on the site.
No direct linking from outside.
All of the pages are written in php
I put this code in the .htaccess file inside the /mp3/ directory...
Order deny,allow
deny from all
allow from 127.0.0.1
allow from localhost
allow from mydomain.com
allow from 123.45.678.90 # that's myserver's IP address (real one used in code)
Satisfy Any
But none of those work.
It does work however if I use the IP address of were I am.
allow from 1.2.3.4 # my internet connection (real one used in code)
But that means it would work for anyone and their IP address.
What am I missing here? Does this work only on certain servers?
How do I make it use the server's IP address and not my IP address?
Look into "hotlink protection" added to your .htaccess file. You can set it up for just .mp3 file extension, and forbid access by any foreign site or directly from browsers. You might even be able to restrict access from within your own site, but I can't see that being terribly useful.
Something like
RewriteEngine on
Options +FollowSymlinks
# hotlink protection and allowed list
# don't forget to add https: to allow accesss for any with SSL
## uncomment following line to PERMIT direct browser access of mp3 files
#RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com(/)?.*$ [NC]
RewriteRule .*\.mp3$ - [F,NC]
Place the files you want to protect out of the public folder. This way they are only accessible via your scripts.
-root
--mp3s
--public_html
---main
----index.php
----page.php
You are trying to limit a "referral" and not direct access?
Denying from an IP limits all access, whether referred to by your page.php or by typing it into the browser's URL location bar. If you're trying to limit referrals, you can try using something like:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain.com/ [NC]
RewriteRule ^mp3/ - [L,F]
but be warned that referers can be spoofed.
What about something like this, in your .htaccess
<Files ~ ".mp3$">
Order allow,deny
Deny from all
</Files>
This will not allow direct access to any files with .mp3 from your web server.
Place this code in your mp3/.htaccess file:
RewriteEngine on
RewriteBase /mp3/
RewriteCond %{HTTP_REFERER} !^https?://(localhost|(www\.)?mydomain\.com)/ [NC]
RewriteRule ^ - [F]
Related
How do I get the IP, with PHP, that I have to use for my htaccess to allow specific domains access to my content?
I used gethostbyname($_SERVER['HTTP_HOST']) to get the ip, but that seems not to be the right one?
Or maybe something is wrong with my .htaccess file?
Order deny,allow
Deny from All
Allow from 77.111.240.115
I now see that there are a lot websites hosted on this IP, is there a way to get this working?
You did mentioned that you are looking to just allow specific domains to access your website.
Try this in your .htaccess and it won't require you to deal with IPs etc.
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER}
!^http(s)?://(www\.)?yoursite.com [NC]
RewriteCond %{HTTP_REFERER}
!^http(s)?://(www\.)?othersite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|html|php)$ - [F]
The above thing will allow access to your own website and that other website to files like jpg gif html etc.
If you want you can add other file extensions in it and if you want you can add other websites in it.
I want my application to allow pages to be accessed / referenced only from the application pages rather than from external addresses. with the exception of the main(index.php) page that will serve as access to the application. So for example if i build an html file in my desktop with a link or form to the destination of the application pages i want it to redirect to index.php.
How can i do this?
I tried to add this rows .htaccess
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
<FilesMatch ".*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
But this didn't work because the desktop file was still in my server .
Edit 2:
I edited the .htaccess file to this and now it works
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteCond $1 !^(index\.php)
RewriteRule ^(.*)$ http://localhost/website/index.php [R,L]
If you mean that you don't want your pages like config.php, x.php, etc. to be accessed directly through browser then you can simply define a constant on index.php page and check its existence on any other PHP file.
In case you want your forms to submitted only through index.php, then the only solution is to use a changeable CSRF token, generated by index.php and valid only for one time usage. That way you'll make sure that no-one can just clone the form inputs and spam you with requests from another server.
Still it's very difficult to totally prevent anyone from sending you requests from outside your server. A go-around techniques can be used to bypass token validation. Attackers can simply send a CURL request to fetch a new token then placing it automatically into the form and sending the request from outside
the server.
I've been searching and testing as many different ways to do this as I can but nothing seems to be working. In a nut shell, I'm streaming audio, but the path is obfuscated via a rewritecond rule. I don't want direct access via the browser to the streaming file, but PHP still needs access to the file to stream it. Here is the streaming URL:
www.test.com/audio/32478576
The "audio" directory doesn't exist. I'm using .htaccess to redirect it to the streaming script. Here are the .htaccess bits:
RewriteRule ^/?audio/([\d]+)/?$ serve.php?id=$1 [L,QSA]
All that works great. So, I figured that all that would be needed to deny access to the file would be to add the following to my .htaccss file:
<Files ~ "audio/">
order allow,deny
deny from all
</Files>
That didn't work. I was still able to get the audio to stream directly from the browser.
Perhaps this is not possible - trying to do what I want it to do. What am I missing? .htaccess is not my strength by any means, but I still think it's possible. I just don't have the right code or things in the right order, perhaps. Any help is greatly appreciated. Thanks.
UPDATE:
There may be something wrong with my server setup. I did a basic test with the following Rewrite:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)test.com/.*$ [NC]
RewriteRule test\.php$ - [F]
But I still had direct access to the test.php file. But - I shouldn't, right? Perhaps something is incorrectly set on my server?
<directory> and <files> directives apply to the filesystem. Since /audio directory does not exist, the <Files ~ "audio/"> has no effect.
<Location> directive applies to Urls, and may work.
In a different approach, if Apache version is 2.4, it can be done as it is described in this documentation page http://httpd.apache.org/docs/current/howto/access.html.
As I understand you want to prevent serve.php from being accessed outside your domain test.com. If so then, the HTTP_REFERRER should be a url containing test.com.
The HTTP_REFERRER can be checked from htaccess using code that prevents hot linking of media files. This link: https://mediatemple.net/community/products/dv/204644230/prevent-hotlinking-with-a-htaccess-file describes how to prevent hot linking of media files. The code given in the link can be modified to prevent hot linking of your serve.php file. The following code should work:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)test.com/.*$ [NC]
RewriteRule audio/.+$ - [F]
I'm having a problem with .htaccess and PHP-files in a sub folder. What I'm trying to achieve is to prevent anyone from being able to access any file in my sub folder - BUT I want my index.php to be able to access those files.
DOCROOT/subfolder -> www.somewebsite.com/subfolder/somefile.php
-> Access Denied
BUT
[index.php]
<form action="/subfolder/somefile.php">
...
</form>
-> Success!
I would love to solve this by just using .htaccess. I tried deny from alland also some RewriteRules but those Rules also kill any request from index.php.
I tried
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from somewebsite.com
Satisfy Any
but the request from index.php is being denied. Can anyone help, please?
This is a misconception that people have. Just because you're linking to PHP files from another PHP file doesn't mean the index.php file is accessing them. The end-user/browser is still accessing them, it's just it's being told where to go by your index.php file. Has absolutely nothing to do with how it's being accessed. In both of your cases, they're being accessed by the browser.
The best you can do is to look at the referer field. It can be easily forged to get around this, but it's the only thing you can do.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(example.com|127\.0\.0\.1) [NC]
RewriteRule ^subfolder/ - [L,F]
where "example.com" is your site.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.hello.com/index.php
RewriteRule .*subfolder/somefile\.php - [NC,F]
The second line checks whether the visitor is not coming from a certain url. The 3rd line blocks them from accessing somefile.php
In your .htaccess you could redirect any requests to files inside that directory other than index.php as follows:
<directory "DOCROOT/subfolder">
RewriteCond %{REQUEST_FILENAME} !=/DOCROOT/subfolder/index.php
RewriteRule ^/(.+)$ redirect.php [L]
</directory>
In my .htaccess file, I am using the below to prevent direct access to folders:
Options -Indexes
I am using the below to prevent access to a critical file of ours:
<Files admin.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from (my ipaddress)
</Files>
So, now users cant go to www.domain.com/scripts as it throw 404 error, nor can they access admin.php
But how do I prevent direct access to all?
For example, if someone knew the filename, they can still get to it, such as: www.domain.com/scripts/process.php
What to do?
Using mod_rewrite:
Put this rule on top of all other rules:
RewriteRule ^scripts(/.*|)$ - [F,NC]
Without using mod_rewrite:
Put this code in scripts/.htaccess:
Order Deny,Allow
Deny from all
UPDATE: To block direct access to all files:
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{THE_REQUEST} \..+[\s?]
# return forbidden error if not static files
RewriteRule (?!^.+\.(?:jpe?g|gif|bmp|png|tiff|css|js)$)^.*$ - [F]