Reputation: 108
How to block directory by htaccess but allow for my site over GET
I've got 2 servers - web server and data server, where are all my uploaded files. Is there any option in htaccess to block all access in data server, but allow for requests from that web server?
Example: web server: portal with videos, audio,... and data server, where are all files uploaded. I need to block download (access) all these files direct from "dataserver/file" (and all subfolders), but I need to access these files for example via <video src="dataserver/file"></video>, which is called from webserver (man comes to my site and want to see the movie/audio/...)
Upvotes: 1
Views: 232
Answers (1)
Reputation: 51711
A visitor's browser on parsing the <video> tag will make the request to your data server directly. Your web server isn't involved there. But, what you want to prevent, which in web terminology is called hot-linking, is possible.
Basically, every browser request has a referer field attached to it (whenever available), which lets the server know the website a user is coming from. For e.g., say, you open your browser and go to google.com, Google will receive your request with no referer because that's the first site you opened in that browser tab.
But, when you search and click on a link to go to a website, that server will receive the complete URL of the Google page that you clicked the link on to reach that website passed to it as the HTTP referer request header.
So, on your data server, you can have an .htaccess that makes sure that clients are making video requests from your website only by checking their referer headers. Something like
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^http://(www\.)?webserver\.com/.*$ [NC]
RewriteRule \.(swf|flv|mp4)$ - [F,L]
This would also prevent the users from just typing in the video URL in the browser in the hopes of downloading it directly. The hot-linkers would now receive a 403 Forbidden error.
This however does have the potential to break your site for people browsing it with some sort of privacy software installed that strips every browser request of the referer field. So, that's your trade-off here.
Upvotes: 2
Related Questions
- Block GET request to a directory with .htaccess
- htaccess - Block access to a directory but allow access to files in a specific directory
- .htaccess to deny directory access
- .htaccess prevent access except one directory
- How to use .htaccess deny from all on subdirectory
- Block access to a web subdirectory with .htaccess
- .htaccess file. Can I block access to a directory without blocking access to the files within it?
- Block direct access to directory with .htaccess file
- .htaccess to block access to files in another directory without <directory>
- htaccess block access to directory but allow access to files