Restrict access by htaccess

Asked

Viewed 531 times

1

I have a dedicated server separate from the hosting of my site, some content like image, videos, texts and etc will be pulled from this dedicated, the problem is that I would like to restrict access to these files directly from the URL, and leave them accessible only if the request comes directly from the site, I have tried to use Allow from IP, but the ip that will be the user’s IP and not the one of my site, which could be a problem in the future... I have tried to use HTTP REFERER but it did not work, can anyone tell me what I can do to limit and display this content only within the site?

php htaccess server

1 answer

3


Answering the question, first of all, blocking for requests from outside via .htaccess is something like that:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} !^http://www\.seusite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://seusite\.com/ [NC]
RewriteRule ^.*$ - [F]

But this is only to make it a little difficult for the curious, because anything that the browser accesses without restriction, can be accessed directly by an external request. HTTP headers are easily simulated.

To protect against automated access, a captcha would help, but this is not feasible for normal features such as images, JS, CSS, audio etc that would normally be used by the site. In addition, nothing would prevent the user to answer the captcha in an application external to the site.

Reasonable blocking is practically impossible without side effects in the context presented in the question.

The advantage of blocking by REFERER is in the case of Hot Link, it at least prevents your features from being linked to third party websites (because in this case, the third party has no control over the user’s browser, which will be making the request). You cannot prevent this third party from accessing your data and taking a copy, but he himself has no way of getting ordinary users (from his site) to bypass your protection in a simple way and access your files directly. At least discourages improper consumption of your server’s transmission bandwidth, as in this case it is required to at least intermediate the content.

I can’t deny or confirm that I’ve done it :P, but by controlling the REFERER directly in your application, you could very well serve an extremely inappropriate image if it is linked on a third party website, but correct if the person accesses through your website or if the REFERER is empty (important to consider that it is only hotlink if it comes filled, and with wrong website). I do not recommend, because it can stay in the cache of the person, and appear wrong thing if in the future the same person access your site directly, giving a disastrous result. But it’s always nice to know it’s possible ;)

  • I understood, I was already thinking about it, I have a function that checks the existence of files on this server, but the same says that the files do not exist, and if I access the same file directly through the URL it exists, could help me?

  • 1

    It seems to me to be a different problem (it would be the case to open separate question). Remember to post the code in the new question. Remember to search before if you don’t have any similar already.

  • Ok thanks, returning my current question, so there is no method to block file requests on my dedicated server, through Firewall or Apache itself? Is that I would really like to leave these files visible only on the site

  • Impossible. Everything the browser does, can be done directly by the client (which is basically what I’ve answered above).

  • I understand, so I’m going to use Rewritecond to make it a little more difficult, it’s a start.

  • It would not be possible to also put a password in the folder with these files and when requesting them on the site, send the access information along with embed?

  • And what stops the person from linking with the same information? If they copy the URL, they can copy the credentials. My suggestion is to do something that does not depend on this type of blocking. You will waste hours to come up with something that an attacker will break in minutes (whatever solution you can find).

  • Couldn’t they be passed in some hidden way? A post, something like that? Or I can create a script to receive the request and then tell where it is coming from and prepare the file for upload?

  • Nowadays sites like the Post Office, Registration.br, Secretariat of the farm, etc can not block it. As I already said, there is no way. Only with tricks like captcha and things like that, but it makes it impossible to use on the site itself. It would not do me any good to list all forms of contour in the answer, but be clear that there is no solution that does not compromise normal use. You can do anything, you will always have an outline. At most, it creates difficulties, but you will always waste much more time than those who go around. The most "Cheap" is the REFERER, who passes he passes the rest.

  • I get it, I will work better on hiding the file URL in a future version then ultilizing BLOB, anyway thanks for your help <3 I will open another issue for checking the files

Show 5 more comments

Browser other questions tagged php htaccess server

You are not signed in. Login or sign up in order to post.