: Restrict access to certain files but not when linked from my own website I got a problem regarding setting my server settings so that my files can't be accessed from people linking directly
I got a problem regarding setting my server settings so that my files can't be accessed from people linking directly to the files, but can when they click a link on my website to open the file.
I tried this:
RewriteCond %{HTTP_REFERER} !^http://19.24.3.13/~child/ [NC]
RewriteCond %{HTTP_REFERER} !^http://19.24.3.13/~child/.*$ [NC]
RewriteRule .(pdf|doc|docx)$ /~child/ [L]
Problem is, when I want to open these files via my website, I get an error, because the link to the file is a direct link, something I wanted to prevent.
So to counter this, I need to let through the referrals from my own website. I tried this:
SetEnvIf Referer "^http://19.24.3.13/~child/.*$" legit_referal
SetEnvIf Referer "^$" legit_referal
<LocationMatch ".(pdf|doc|doxc)$" >
Order Deny,Allow
Deny from all
Allow from env=legit_referal
</LocationMatch>
But with no success. I get a server 500 error if I try to access it.
As you can see I use ip-adresses, because I have no domain name, only the ip.
Can someone point me in the right direction?
More posts by @Debbie626
1 Comments
Sorted by latest first Latest Oldest Best
Problem is, when I want to open these files via my website, I get an error, because the link to the file is a direct link
An ordinary link on your website is not a direct link. If the browser is sending any referer at all then when a user clicks a link on your website then the referer is "your website". If you are not getting a referer header in this instance then "something else" is going on.
However, you probably do need to allow an empty referer for when user's browsers don't send the HTTP referer header (for whatever reason). For example, when users type the URL directly in their browser (this is a direct link), or simply hit the reload button - presumably you do want to allow this? If you don't allow this then it is possible that some legitimate users might have problems accessing your files.
Your first example looks pretty much OK, except that 19.24.3.13/~child/ looks a bit weird (this looks like the temporary URL that some shared hosts supply before the domain resolves?). However, the following should work:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://19.24.3.13
RewriteRule .(pdf|docx?)$ - [F]
The above will return a 403 Forbidden for PDF, DOC and DOCX URLs when the HTTP referer is not empty AND not the current host. Note that this allows direct requests (when the HTTP Referer is empty). If you wish to prevent direct requests then omit the first RewriteCond directive.
Your second code block results in a 500 Internal Server Error because LocationMatch is not permitted in .htaccess files. You need the Files directive.
UPDATE: I'd previously included %{HTTP_HOST} in the condPattern (2nd argument to the RewriteCond directive) - that was a stupid mistake! Server variables are not evaluated in the CondPattern (a regex) so would have matched the literal string "%{HTTP_HOST}"! Which would never happen, so the condition (a negative match) would always have succeeded and the request would always be blocked!
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.