0

I'm currently working on a project using php, apache server and symfony. What Im trying to achieve is to prevent my images accessed via http://localhost:8000/img/logoSmall.png directly in the URL bar. I already tried Iusing the Option All -Indexes but it does not work, I don't know if I'm doing something wrong, also I tried some things from this post like: 

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC] 
RewriteRule \.(gif|jpg|png)$ - [F]

and changing

Options Includes Indexes FollowSymLinks MultiViews

to

Options Includes FollowSymLinks MultiViews

I'm also sure that my httpd.conf file has AllowOverride All

I really don't know what else to do. I've been stuck in this for too long, If you see any errors in my solutions, or you have any suggestions I would veyr much appreciete them. Thanks in advance.

EDIT

I do want to continue displaying the images in my site, what I don't want is allow other users access them with the direct URL.

Community
  • 1
  • 1
OmarAguinaga
  • 707
  • 1
  • 8
  • 17
  • Do you want to prevent access to the files no matter what, or just when they are directly accessed from the URL bar? Sorry, I assumed the former in my answer. – NighttimeDriver50000 Mar 09 '16 at 08:42
  • 2
    There is no reliable way to do this. It's not worth bothering with –  Mar 09 '16 at 08:43
  • Well, you can fully prevent access with my answer. I was assuming OP was going to load the files with PHP or something into data URIs, so that the would-be URLs for the images are never used. – NighttimeDriver50000 Mar 09 '16 at 08:48

2 Answers2

0

I had similar problem, but in my case I used some folder (Uploads) for files uploaded by users (profile pictures etc), and then I needed to show those files only for certain users (account owner and his contacts).

My solution: 1) in security.yml close uploads folder from all users except super admin 

security:
   access_control:
       - { path: ^/uploads/, role: ROLE_SUPER_ADMIN }

2) If you need users to be a able to download files from server create controller to handle this

use Symfony\Component\HttpFoundation\BinaryFileResponse;

class DownloadController extends Controller
{
    public function downloadAction(Request $request, $filepath = null)
    {
        if ($filepath){
            $response = new BinaryFileResponse($filepath);

            return $response;
        }
    }
}
Ozz Mium
  • 61
  • 6
  • I am doing the same but still, my URL is public and unauthorized user can see the image – Owais Aslam Jan 01 '19 at 17:12
  • 1
    Check your security.yaml and make sure your controller is behind the firewall with enabled security. What's the path leading to your downloadAction? – Ozz Mium Jan 05 '19 at 21:07
-1

In apache2.conf (at least that's what I tested it in):

<FilesMatch "\.(gif|jpg|png)$">
    Require all denied
</FilesMatch>

Note: This will prevent access to the files even from within HTML files. The only way they can be displayed on a page is to include them them in the HTML with data URIs generated in your PHP.

NighttimeDriver50000
  • 577
  • 3
  • 8