Reputation: 5156
PHP/Apache Deny folder access to user but not to script
So I have this php web app, and one of my folder contains some files that can be downloaded.
I have a download script that modifies the headers, in order to always offer a download link. (instead of showing a picture for example, when you click on a link, a download box pops out)
Right now, if you enter a url like: http://www.mywebsite.com/content/ You get the listing of all the downloadable files, and of course, you can just download them all, without going through the website interface.
Personally, I don't think it's a problem, since I often use downthemall or other downloading tool, and this type of access is a great time saver....
But of course my company does not think so :-p They want people to use the interface in order to view the Ads...
Would they be a way, maybe with a protected .htaccess, to leave the folder access to my download script, but deny access to the users...?
I hope I am making sense and you know what I mean :)
All help/remarks appreciated!
Upvotes: 3
Views: 4568
Answers (4)
Reputation: 1612
You can make a .htaccess file and enter Options -Indexes this will disable listing of the files in the directory.
If you also need the traffic to originate from your site you will need to make a file say... index.php with code that checks $_SERVER['HTTP_REFERER'] to see if the traffic originates from your site.
EDIT
Oh I forgot you can actually fix it all in the .htaccess:
Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://your-host.com/.*$ [NC]
RewriteRule ^.* /403-page [L,R]
This will do all the work of the script I suggested, so you won't need it anymore.
Upvotes: 5
Reputation: 157919
Deny from all
in the .htaccess or move the files above document root
Upvotes: 0
Reputation: 30414
Move the folder out of the webserver's root directory so that apache will not server files from that directory at all. You can still include files from the folder if it is readable by the apache/http user, but your site users won't be able to access it from any url.
Upvotes: 6
Reputation: 101251
Yes, this is correct. .access files block access to the users, but has no influence on local serverscripts.
Upvotes: 1
Related Questions
- Block direct access to a file over http but allow php script access
- PHP prevent direct access to file but still use in download script
- How can I deny direct access to a directory, but allowing it from a php script?
- How to allow downloading files with PHP, but deny direct access to directory listings
- Prevent users from downloading files in a specific directory
- php restrict access to files in directory
- Preventing a file being downloaded or accessed on a server
- Secure file download in PHP, deny user without permission
- Allow users to view or download files, but not execute them
- Selective file download permission with Apache and PHP