restrict access to folder from web browser but access only through my website

Question

I have an internal webserver with ubuntu and Apache configured on it. I have given the access to /opt/data_upload so that I can make use of this directory to save images uploaded from PHP and fetch it back on Ajax Get Request.

My Apache config in /etc/apache2/apache2.conf looks like this

Alias /data_uploads "/opt/data_uploads/"

<Directory "/opt/data_uploads/">
        Options Indexes FollowSymLinks MultiViews
        Require all granted
        AllowOverride all
        Order allow,deny
        Allow from all
</Directory>

But the problem is that when I do http://123.45.67.89/data_uploads from browser it is fully accessible to everyone which is dangerous and anyone can see the images uploaded there.

To avoid this i tried to Require all denied now i get 403 but also my all Ajax get requests are also failed.

Now i want to make my website to access it but if someone tries to access http://123.45.67.89/data_uploads should say 403, How can i overcome with this issue ?

Answer 1

In your configuration you give access to everyone to your upload directory.

You must remove this, or only allow your IP.

But in your case, what you want is to permit your users to upload, and download files that they are allowed to. It means you want their http requests be able to upload/download files. These http request won't access the upload directory directly but they will call your php application.

Then it's your php application that would be able to upload to this directory (then write to this directory) and read from this directory. For this you have to give read/write permissions to the apache user running process with something like chmod and/or chown.

And finally, you'll have to write a PHP controller able to treat upload and download calls. That php code will write and read from your upload directory.