0

I am tinkering around with webpages on a LAMP server running Apache2 and was wondering if it was possible to make a directory accessible only to your web pages and not from outside?

Example scenario:

Directory to protect: dir1 containing images (jpg, png)

My own webpage: mypage.html that calls images from dir1

My website: www.myweb.com that contains both dir1 and mypage.html

Currently, files inside the website can be accessed via www.myweb.com/dir1/somefile.jpg or by calling mypage.html

I would like it to only be accessible by calling mypage.html

I have tried the following:

  • modifying .htaccess to disallow access of image types 

    <files "*.jpg">
  deny from all
</files>

(doesn't work because mypage.html cannot access it either)

  • Modify apache2 conf file with: 

    <Directory /var/www/dir1>
   AllowOverride None
   <Limit GET POST OPTIONS>
   Order deny,allow
   Deny from all
   </Limit>
</Directory>

    (this actually semi-worked as it allowed me to write to directory but not read, maybe this can be modified to allow requests coming from internal web pages to go through?)

I guess to conclude, is there a way to get Apache2 to ONLY accept requests to access a directory if it is of a certain url of your choosing?

Thanks in advance.

publicknowledge
  • 634
  • 1
  • 9
  • 17

1 Answers1

0

So, I've decided that the approaches I've taken so far really don't cut it and found you could actually call a php function where 

<img src='somefile.php?query=xxx' alt='pic'>

and where in the somefile.php I have that takes in img file name created from the query above.

echo file_get_contents($imgresource);

By serving the image from a php script and blocking this php script from being called without proper credentials, sessions, cookies and IP blocking, there is some security set.

So I guess it doesn't really answer the question in its entirety of blocking access only to some URLs but it works for the purpose of not being able to be accessed externally since I have buried the directory below (or above?) the web root directory where it can't be called from a url and only from internal script.

publicknowledge
  • 634
  • 1
  • 9
  • 17
  • 1
    If I knew you were using PHP I would have suggested this approach. However you didn't tag the question as php or had any php examples. Glad you found something to use. – Panama Jack Nov 18 '15 at 00:52
  • Sorry. I didn't specify php because the initial problem I boxed it in as, wasn't scripting specific. Thanks for confirming the approach though. – publicknowledge Nov 18 '15 at 03:51