1

I'm trying to use mod.rewrite to deny direct access to files on my web server, e.g. http://domain.tld/reports/imareport.pdf or http://domain.tld/img/img1.png, and I've used the answer on this question:

(htaccess) How to prevent a file from DIRECT URL ACCESS?

That page suggests using mod.rewrite like this:

RewriteEngine on 
RewriteRule \.(png|pdf|htm)$ - [F]

Using mod.rewrite in this manner works fine for denying access to PDFs, but other files that are ordinarily included in a page such as images and css are not only blocked from direct access, but also blocked when used on a webpage in a normal <img> tag or whatever. This is contrary to the question and answer mentioned above.

So... my question is... is there a way to block direct access to files but still allow them in webpages?

Community
  • 1
  • 1
Randy Fumigator Whitaker
  • 9
  • 1
  • 5
  • 1
    I believe that the answer is here for you already: http://stackoverflow.com/questions/10236717/htaccess-how-to-prevent-a-file-from-direct-url-access – Mark Phillips Oct 20 '16 at 15:31
  • That is the post I initially used, but the problem is the solution blocks images on a webpage as well as direct access. – Randy Fumigator Whitaker Oct 20 '16 at 15:36
  • Do these files need to be accessed only after the user has logged in, or anybody visiting the site, but just not directly accessing the images by putting the URL in the address bar? – Mike Oct 20 '16 at 15:36
  • 1
    @RandyFumigatorWhitaker, you did change the "localhost" part in the rewrite rule to reflect your domains FQDN? – Mark Phillips Oct 20 '16 at 15:38
  • I want to set the rule for public access but would also apply to users who have authenticated. – Randy Fumigator Whitaker Oct 20 '16 at 15:38
  • 1
    @RandyFumigatorWhitaker Why not just not worry about it then? Whatever thing you try to do using the HTTP_REFERRER is only security through obscurity and anybody who wants to get around it and knows what they're doing can easily do it. Maybe let us know what you're actually trying to prevent. – Mike Oct 20 '16 at 15:40
  • Thanks all for the guidance, Mark Phillips you are right, I failed use RewriteCond to whitelist the website URL. That got everything working. – Randy Fumigator Whitaker Oct 20 '16 at 15:52

1 Answers1

0

Thanks Mark Phillips, I didn't fully appreciate what these two rewrite conditions were doing for me:

RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]

So I had managed to mess them up. Things worked as needed when I used the code just as it was.

Randy Fumigator Whitaker
  • 9
  • 1
  • 5