I have .doc and .zip files in download directory on my server.
whoever visit my site page (download-file.php) only those user should be able to download these files and other should not.
I am trying to achieve above but no luck...
I am still able to put direct file address (http://example.com/sample.doc) in browser and I am able to download which I don't want..even someone else giving link to above file on any website then also download should not happen.
Could any one please share some idea..how i should achieve this.
Thank you in advance.
In the htaccess file in your document root, you can include these rules:
RewriteEngine On
# you can add whatever extensions you want routed to your php script
RewriteCond %{REQUEST_URI} \.(doc|zip|pdf)$ [NC]
RewriteRule ^(.*)$ /download-file.php?filename=$1 [L]
Then in your download-file.php, you can display whatever you need to display and the download link, which your php script can just immediately serve the file using php's readfile() (see link for examples)
You should disallow access to your files directory, and offer downloads only PHP driven (example with PDFs):
data/.htaccess (googled):
deny from all
download.php:
/* User access check here, prior to the following code */
$name = 'MyPDF.pdf';
$filename = 'data/pdf_12345.pdf';
header('Content-Disposition: attachment; filename="'.$name.'"');
header("Content-Type: application/pdf");
header("Content-Length: " . filesize($file));
fpassthru($filename)
Of course you can set different filenames for each user and each request, like download.php?file=MyPDF
You should be able to restrict people from directly accessing your content using a method similar to the following code:
RewriteCond %{HTTP_REFERER} !^http://your_domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://your_domain.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.your_domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.your_domain.com$ [NC]
RewriteRule .*.(jpg|jpeg|gif|png|bmp|pdf|doc)$ http://your_domain.com/no_access.php [R,NC]
This would prevent people from directly linking images, pdfs or docs from your site. Then, files with these extensions would only be able to accessed from your site. If someone attempts to directly link or access your files, they will experience the whatever you choose for them to see (that you place in the no_access.php).
If you have a dedicated server the easiest and in my opinion the most secure way is to store the files outside of /var/www/
You can for example create a folder /var/webdocs/ and store them there.
Related
I'm currently making a website with videos on it, however, I want to avoid as much as possible people being able to download them (I know that this is not 100% achievable, but there are ways to make it harder).
Here's my filesystem
- main folder/
- watch.php
- videos/
- .htaccess
- example video.mp4
- streamer.php
And here's my codeWatch.php:
<video src="videos/streamer.php"></video>
streamer.php:
<?php
$stream = new VideoStream("example video.mp4");
$stream->start();
?>
.htaccess:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^https?://(www\.)?([^/]+)/.*$ [NC]
RewriteCond %2#%{HTTP_HOST} !^(.+)#(www\.)?\1$ [NC]
RewriteRule \.(php|mp4)$ - [F,L,NC]
Additional: The server is running loacally, and such does not have a domain name.
The video streams fine from watch.php but if you open the video source (streamer.php) you will be allowed onto the page, where you can then download the content.
What I want to happen is for the video to stream fine to watch.php but if you open streamer.php you are blocked from seeing the content.
Can anyone help me with this? I've tried just about every solution I've looked up and I can't manage to get any to work. Thanks
[EDIT]: Most preferably, this would be done in the .htaccess file so that I can also block people from entering example video.mp4
I'm trying to use mod.rewrite to deny direct access to files on my web server, e.g. http://domain.tld/reports/imareport.pdf or http://domain.tld/img/img1.png, and I've used the answer on this question:
(htaccess) How to prevent a file from DIRECT URL ACCESS?
That page suggests using mod.rewrite like this:
RewriteEngine on
RewriteRule \.(png|pdf|htm)$ - [F]
Using mod.rewrite in this manner works fine for denying access to PDFs, but other files that are ordinarily included in a page such as images and css are not only blocked from direct access, but also blocked when used on a webpage in a normal <img> tag or whatever. This is contrary to the question and answer mentioned above.
So... my question is... is there a way to block direct access to files but still allow them in webpages?
Thanks Mark Phillips, I didn't fully appreciate what these two rewrite conditions were doing for me:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
So I had managed to mess them up. Things worked as needed when I used the code just as it was.
I have a blog with images. I do not want that the images are directly accessible through the URL (and also not for Googlebot and other bots)... for example... mysite.com/assets/images/img1... etc. So I thought to password protect the images directory with .htaccess. That worked, only front-end all my images became links, and I had to provide my credentials to make them show. How can I make my images show yet NOT make them directly accessible when typing the corresponding URL and the images URLs (or better yet the images directory) NOT accesible for bots to crawl/index?
Don't go with password protection. The right way to do it would be to filter the requests based on the referer URL. If the request originates from your own site then it's ok. Otherwise the request is trying to get an image directly.
I've found this site with detailed instructions on how to do that: http://altlab.com/htaccess_tutorial.html
Taken from the mentioned site:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://url_to_default_image.gif [L]
Note that you would have to enable mod_rewrite in your Apache server.
Btw, just asking. Why don't just let people get the image directly if they want to?
Redirected from here, I need to prevent access of PDF (or any other) file types, when someone access it using direct URL.
The Problem
Say you had a PDF file that you’d like visitors on your own site to download.
However, if someone were to copy this link and call it from a browser window directly, or if they were to post the link to you PDF on another website then the document shall not be accessible. By default it is.
I am successful in hiding the pdf file path in address bar and the url formed is http://localhost/myproject/web/viewer.php?id=11&name=sample.pdf, but in console one can see the complete path like http://localhost/myproject/document/11/sample.pdf.
This code redirects successfully on second time page reload, but not when I select Open in new tab from console.
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(pdf) [NC]
RewriteRule .*\.(pdf)$ http://google.com/ [NC]
Used below code in .htaccess to prevent access
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteRule \.(pdf)$ - [F]
Somehow it does not work accurately. It shows file forbidden message only if I hit CTRL+SHIFT+R key otherwise using the file URL I can still access it.
I want to prevent the pdf file showing as http://localhost/myproject/document/11/sample.pdf directly in the url bar
If you have access to a database, maybe you could store the file/s in a blob field. This way you can easily write code to protect the file how you like.
You can store PDF files not in webroot folder and return it content use PHP. For example for user URL will be like:
http://localhost/myproject/document.php?hash=some_hash`
and on file document.php you will get document hash from $_GET parametr use file_get_contents function. Also in this case you can allow access only once
I hope it will help
I have player.php file which calls the video player to play a certain video. How can i block certain sites from accessing this file and using it to embed videos on there site. In other words What code can i use inside player.php to block certain sites from accessing this file only.
You can do this on three levels.
1) Web server
For instance, using .htaccess file if you're on an Apache server.
This could be done with a rewrite that pushes them to some dummy file or 404 or whatever you like. For example:
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} badsite\.com [NC]
RewriteRule .* - [F]
This is really the ideal way because it precludes the need to interpret PHP.
2) PHP
In your page, use the $_SERVER['HTTP_REFERER'] (which may not be set if there is no referrer) and search for the domain in question in the string.
This is second best, and may be your only option if you can't alter the Apache configuration.
3) Javascript
Doesn't really prevent access to anything, because the check happens client-side (they've downloaded player.php and the Javascript itself prior to running it). If they went directly to the video or whatever, it wouldn't stop them from getting the file. You would use the document.referrer and search for the domain as with the PHP example.
If you are using Apache and have access to your .htaccess file, I suggest you use that instead. This page is an excellent resource.
You could try something like this, assuming player.php is in your web root:
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^player\.php.*
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?your-domain\.com/ [NC]
RewriteRule .* http://your-domain.com/please-dont-steal\.php[NC]
You're better off dealing with this issue server side, so PHP is a good bet. You'll need to examine the HTTP referrer header to see whether you're being hotlinked.
there are lots of tricks you can do with Apache mod-rewrite and/or .htaccess