i want to deny access (from all non-logged in users) to all the files in a directory from the browser.
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?
Thank you
dont show them the actual folder path where their files are stored.
Use a php file to fetch the downloadable content.
eg :- download.php?file=mydocument.doc
Cons :
Might be slow
No Download Resume support (I guess)
For the part of .htaccess user access you can take a look here at the .htaccess Password Generator
You can disable default directory browsing using .htaccess.
Open your .htacces file
Look for Options Indexes
If Options Indexes exists modify it
to Options -Indexes or else add
Options -Indexes as a new line
The directory browsing feature should be disable by now
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part:
Only a logged in user can access his
files in that folder. The file paths
are stored in the database with the
logged in user id, so that when the
user logs in, he can view or download
only his files.
will require either creation of separate password files for each folder, or some additional scripting.
There are some known issues with this approach:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support
Logout operation will require browser closing
Generally, I'd recommend:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.
thanks for your replies, between i found a code snippet that is working just fine.
I inserted the following lines in my .htaccess file:
Order deny, allow
deny from all
Related
I'm absolutely unknowledgeable of Apache .htaccess language and to be frank, I presently don't have time to look into it.
I have divided my website to following directories:
/My-Website
/admin
/public
To me, it seems like a good practice to separate the administration portal from the public website with distinctive folders. Admin is where the administration updates the contents and public is, well, public.
However, this way, I face two key problems:
I have somehow configured .htaccess to redirect all URLs to /public directory. But I want an exception to the /admin directory. Meaning that when the user enters mywebsite.com, it should redirect to /public automatically but not when the user enters mywebsite.com/admin. I'm not sure if .htaccess would have the solution or PHP, but am welcomed to both.
In my admin directory, I have JS files and other xml lying around in the admin directory. Did a test, found out that the users can access all the files in the admin directory by explicitly going to for example: mywebsite.com/admin/may_be_sensitive.xml without authorization. How can I tackle this?
I'm quite open to suggestions even if it means that I need to re-organize my entire website in a different structure.
You don't need any redirection.
/public should be the root, so the public portion of your website would be visible at https://example.com
/admin should be a subdirectory off public (your webroot) like https://example.com/admin, and should be secured with an appropriate authentication process like basic auth, a one-time token or some other form of secure auth.
It's possible to secure the admin folder with a .htaccess file but it's more secure to do in the server configuration file if you have access to it.
From: http://httpd.apache.org/docs/current/howto/auth.html
<Directory "/usr/local/apache/htdocs/secret">
AuthType Basic
AuthName "Restricted Files"
AuthUserFile "/usr/local/apache/passwd/passwords"
</Directory>
The password file is created with the htpasswd utility.
I'm coding a small website with login for members. Every member have a dedicated folder and I'd like to know how to deny all access to this folder from everyone except form the user when he's logged in.
For now, I've set up things like that:
1) Every folder have an .htaccess with deny from all
2) When a user logged in, I use PHP to identify the user and get his folder. I get the user's IP address and I edit the .htaccess with
order deny,allow
deny from all
allow from 178.197.XXX.XXX
3) Once the user logged out, I reset the .htaccess to deny from all again
Is there a better way? And is there security risks?
Don't use IP. One user is not equal to one IP.
Store the folders outside the document root of your web server. This way, the files can never be served directly by the web server itself.
I.e., do not serve the files directly like http://my.site.com/path/to/actual/file. Instead require that the file be requested through a proxy PHP script like http://my.site.com/getfile.php?file=name. The script would check that a user is logged in, check that a file named name exists in that user's directory, and then spew it with readfile() or similar.
Also, in general, your files should never be writable by the user that the web server process runs as -- especially your .htaccess files.
Could access to files like df9dfglh_56_ghf.mp3 in /www/pub/ prevented with an empty index.html file? (but giving access via index.php with login to a database that then links to that file name)?
UPDATE: but I would rather NOT restrict access to the directory, if I want to play the file in my own 'cloud player'... (bit like the youtube category: only people with the link can see the file)
The bottom line: I want minimise server traffic, or copyright problems (if those files became publically accessible)
For preventing access from a certain file or even for a certain type of file, you can use the .htaccess, which is an apache configuration file that provide some ways to make configuration changes on a per-directory basis. And then append to it the following line
<Files ~ "\.mp3$">
Order allow,deny
Deny from all
</Files>
For your specific case, you can even use it this way:
<Files "df9dfglh_56_ghf.mp3$">
Order allow,deny
Deny from all
</Files>
If you wish only that the file is not listed on the index you can use this very same file to do what #Ynhockey said and issue the configuration:
Options -Indexes
I hope it helped. Cheers
if you set inside your data folder empty
index.html
When user browse ..
http://yoursite/data/
he will see empty page and he wont see your mp3 file...
But if he goes to
http://yoursite/data/yourmp3name.mp3
he will open your mp3..
By simply having an index.html or index.php, you would only be disabling directory listing. People will still be able to access any files inside that directory though if they have the direct URL to it.
If you would like to block access to specific files, you will need explicitly restrict access to those files. Here is a good resources to get started with that.
An empty index file can prevent a directory listing from showing, but it does not prevent direct access to files. This can also be done by putting the following line into your .htaccess file:
Options -Indexes
I think what you are referring to is Apache's directory-listing when there is a directory without an index. Yes, an empty index will hide this listing but no, it will no prevent access to files if the path is known. If this "share link to authorised persons only"-policy is secure enough for you then fair enough. If you want anything more secure you should consider using mod_auth or something similar og limit access by only allowing access to a .php file or something similar that provides access to only the authorised users.
in principle yes it will disable the file listing, but if the user knows the exact path, then he will be able to view/download the given file.
an effective way of doing, what i believe you are trying to do , is to put the files in a dir that is not visible by web, and then serve the files via php. then the link will be smth like,
domain.com/getfile.php?fileindetification=thefile then in getfile.php you can authenticate the user and then serve him the file, you can do even more, you can make the currentlink, be valid only for a short period of time.
it will be better to keep the file out of the web root folder so that no one outside get access to the file.
I have a site and I want to create a log.txt file which includes all user logs.For example a user logged in anytime and logged out. That is to say,time which users logged in and out. I can make this with database but there would many rows and I don't want it. If I put log.txt file to /logs/log.txt,any user who writes domain.com/log/log.txt to address bar will see that file. How can I prevent this. (I use PHP)
It's true that you can hide files from website visitors using .htaccess, or by putting similar rules in other Apache configuration locations. But this kind of thing is not trivial, and it's easy to make mistakes. The best way to hide files from site visitors is through the directory structure of your project. For instance:
A directory www/ to contain all files website visitors DO need to visit directly with a browser. This will the the directory used as we website root in your Apache configuration. If browsers don't need to fetch a file, it should not be here.
Other directories, like logs/ for logs, lib/ for source code that gets included in your scripts, config/ for settings and configuration files, etc. Since they're not inside of the website root (www/), users cannot point their browsers at any of these files.
If you're on shared hosting, and they only give you one folder that is your website root, then you can't do this. I wouldn't purchase a hosting account from such a company, though, because there are plenty that DO let you put files outside your web root.
Use a .htaccess with
<Files "log.txt">
order deny,allow
deny from all
allow from 1.2.3.4
</Files>
Where 1.2.3.4 is your IP, if you want to be able to acces it from your browser via the site. Else remove that line, so you will only be able to access via FTP or script
You can prevent http access to your log folder by using an .htaccess file that contains
deny from all
what is the most secure way to password protect admin files/folders?
im on apache/php
The most secure way is to keep it off the internet alltogether ;-)
But irony aside, I'd suggest using .htaccess. Simple and requires no programming effort from you.
http://www.htpasswdgenerator.com/apache/htaccess.html#8
An alternative to the htaccess method is to put the files that should be protected outside the web-root - somewhere where a typical HTTP request can't reach them - and have PHP relay them back to the client as needed.
This is useful in situations where you need more control over the process than Apache gives you. Like, say: if you wanted to integrate this with your PHP application's member functionality; allowing members that have already logged in access to the files while denying access to others.
Create a .htaccess and .htpasswd with one of the 10000 .htaccess generators out there and use the htpasswd included in most distros to add users to the .htpasswd.
Securing admin folder with HTTP Authentication (.htpasswd & .htaccess)
Navigate to http://aspirine.org/htpasswd_en.html to generate
username and password in an encrypted form
Eg:
username: User_name
password: Mypassword
Result will be depending upon your selected hashing algorithm
Eg.:
User_name:TX9D66ksKUR0o
Save this in “.htpasswd” file
Creating a “.htpasswd” file on your web server other than the /public_html
directory. Preferably one directory above it in the /home folder which would
store the username and password in an encrypted form for the HTTP
authentication.
Add the following code to the .htaccess file inside the /admin
folder on your server. Do not forget to put the correct path of the
.htpasswd file in the following code snippet:
AuthType Basic
AuthName "Your_Name"
AuthUserFile path-to/.htpasswd/file
Require valid-user
AuthName "Authorisation Required"
require valid-user
# IP
# order deny,allow
# deny from all
# allow from xxx.xx.xx.xxx