htaccess Elite

Hello,

I have a question which I can't find the answer to anywhere on the web, but I'm sure it exists!

I have a website, which holds valueable media files in subfolders.

I want to block any access to these (in fact, all subfolders) on the server using .htaccess. The only way i want the media served is via my proxy PHP script so I can validate and record each download.

I am happy to grant access to all files on my parent folder, but want to block any access to subfolders.

Thanks for reading - and please let me know if you have any ideas about how to solve this problem!

Tony

Yes this is easy, just explain how exactly the php proxy script accesses the files.

Hi mod,

Thanks for your reply.

The PHP scripts receives an ID.

The script looks up the filename and path from a MySQL DB table.

The php script opens the file and reads the content before outputting it to the browser.

- is that detailed enough? Or do you want code snippets?

TonyKR wrote:is that detailed enough? Or do you want code snippets?

Good, but please help me with the following:

• What is the name of the subfolder you want blocked
• what is the code you are using (minus any identifiable info) to open and serve the file

header("Content-Type: audio/mp3");
header("Content-Length: " . filesize($filename));
header("Content-Transfer-Encoding: Binary");
header("Content-Disposition: attachment; filename=$nameofrecord.mp3");
header('Pragma: private');
header('Cache-control: private, must-revalidate');

$fh = fopen(trim($filename),'r') or die("error proxying $filename $fh");

while(!feof($fh))
{
echo fgets($fh, 1024);
}
fclose($fh);

I want to block access to EVERY subfolder.
I don't want to name each subfolder because one is created each time a new user is created.

Do you understand?

Ok gotcha..

I tested this myself since this is such a cool little htaccess trick.

Code: Select all

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
RewriteRule .* - [F,L]

This will 403 forbid all direct requests for anything in a subfolder but will allow fopen to access the file.

htaccess wrote:Ok gotcha..

I tested this myself since this is such a cool little htaccess trick.

Code: Select all

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
RewriteRule .* - [F,L]

This will 403 forbid all direct requests for anything in a subfolder but will allow fopen to access the file.

That is sweet! Works a treat. Thanks a lot.

Slight feature request :) - can we allow PHP files to be served from the sub folders?

or if easier only apply the above rule to certain file type (MP3 in particular).

thanks again!!

Further Feature Requests:

How about blocking the access to any get requests from a foreign IP address?

i.e. allow all GET requests from the local macine (i.e. the server - so via proxy scripts / flash objects ...) but block anyone trying to download the media from another IP address...

i hate requirements creep, so sorry if this is annoying!

TonyKR wrote:How about blocking the access to any get requests from a foreign IP address?

Code: Select all

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^.+$ [NC]
RewriteRule .* - [F,L]

There you go. This check isn't based on the IP address though, when php uses fopen it doesn't make a real HTTP request, so this will block everthing except fopen.

Thanks for that.

I'm going to try to be absolutely specific in my requirements now!

Requests from Server (Local) machine can access all files in any subfolder.

[I forgot to mention previously that some files can be streamed via a Flash player]

Requests from a Client machine can access just the index.php file in each subfolder.

I think I need what you've already done, inconjunction with:

Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX

But how do I get the above to work with particular file types and requests from all non-local IP addresses!

It sounds complicated - more research needed!

TonyKR wrote:Requests from Server (Local) machine can access all files in any subfolder.... I forgot to mention previously that some files can be streamed via a Flash player

Ok the important thing to know is how is whatever accessing the files? using fopen? fsockopen? curl? For the flash player: Is it real streaming using fopen type functions or is the flash player making a HTTP request for the files?

TonyKR wrote:Requests from a Client machine can access just the index.php file in each subfolder....
But how do I get the above to work with particular file types and requests from all non-local IP addresses!

Ok this code can go in your /.htaccess file. It will deny all requests for any file in a subfolder. However, it will allow all requests for index.php in any folder and it will allow all requests made by a local IP addr (ip address starting with 208.113.183). So this should work for everything except I don't know about the flash player access yet.

Code: Select all

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
RewriteCond %{REQUEST_FILENAME} !^.+index\.php$ [NC]
RewriteCond %{REMOTE_HOST} !^208\.113\.183.+$
RewriteRule .* - [F,L]

Check out this setenvif guide.

Also you may want to add

Code: Select all

RewriteCond %{ENV:REDIRECT_STATUS} !200

before the rewriterule, depending on your server, see REDIRECT_STATUS variable article (lets local/internal requests through)