You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dragon <dr...@crimson-dragon.com> on 2007/09/26 22:33:27 UTC
Re: [users@httpd] image folder outside the root....how to
access it ?
Daniel Yaÿfffffffffff1ez wrote:
>Ok so I will use a dirty example since maybe
>this will be more clear. Lets asume that I
>cannot put images outside the root of my domain
>for the purposes that you explain. that only
>leaves me the option of using normal folders
>(ex. www.domain.com/images) to put my images in.
>Lets say Im running an ADULT website, where
>users have to pay to register, and then login to
>get access to the private pages. I am using php
>and sessions to verify that indeed the user
>exists in my database and that he is a valid
>user. Everything is perfect here. I then forward
>the user to a secure page. This secure verifies
>the existance of a valid session, and if so,
>then displays the content. If the session is not
>valid then it will redirect the user to another
>page asking him to login or whatever. This
>secure page contains a gallery of a beautifull
>girl. A gallery with pictures only registered
>members are allowed to see. one of the pictures has a url for example
> www.domain.com/images/kellyNaked.jpg. The
> registered user that is allowed to see that
> picture, can save the picture, print the
> screen, download it etc. I have no control over
> that I know. But my problem is that he shouldnt
> be able to send the link to a friend. nobody
> should be able to just type:
> www.domain.com/images/kellyNaked.jpg and have
> the image opened. Otherwise, why pay??? if a
> user figures out the folder structure then he
> could easily find the other pictures.
>
>Now, all this about using a folder outside the
>root for private pictures was initially
>suggested because other people said they
>actually place fils outside the root that they
>wanted to be private and only be served by a
>page inside the server. Maybe this technique
>works only for code files (.php etc). Or at
>least thats what everyone in this newsletter is
>telling me. So then, my question was, how to
>deliver images (or other media files) that are
>supposed to be only accessible to registered
>users from a folder inside my root, without
>having the risk of people just linking to them
>directly. there is no way to prevent this
>obviously with any kind of php script, or java
>or anything. This has to be done by something
>(and I assumed it was apache) in the server. I
>was almost ready to start using .htaccess but
>then on the official apache website:
>http://httpd.apache.org/docs/1.3/howto/htaccess.html
>they suggest not using an .htaccess file because it slow down the
> server plus it is insecure.
>
>My question to you guys now is different, what
>are the reccomended ways to have a secure folder
>in my website that will only deliver its content
>to users when it is requested by a script inside
>my serer? if it really has nothing to do with
>apache, then Im sorry, but I think it is a
>combination of a server language like php and
>apache...maybe Im wrong, but I would like any
>suggestions opinions you guys might have.
>
>Thanks again, and sorry for so many questions, I
>hope I can get the answers to my questions or at
>least better ideas of where to look at.
>Cheers !!
---------------- End original message. ---------------------
Please stop top-posting, it is rude and makes
reading the replies in order a pain in the ass.
Now I think you are making some assumptions here
that are wrong. You've got some of the ideas
correct but you aren't putting them all together properly.
First, .htaccess is not the only access control
scheme that has an impact on server performance.
Any sort of authentication, whether done by
Apache, a third-party module, or your script is
going to impact server performance. The thing is
that this is the price you have to pay to
restrict access. The big hit with .htaccess is
when it is used at multiple levels within a file
tree. Each time an .htaccess file appears in the
tree, it has to be accessed and verified by the server.
Second, .htaccess in and of itself is not
necessarily insecure. How you use it and exactly
where your .htaccess files live have a large
bearing on just how secure your system will be.
This is not a simple topic by any means. Nor does
this touch on user passwords being weak and all
sorts of other problems which are not unique to this scheme.
Third, putting the image files outside the server
root prevents them from being served by Apache
directly, this really is what you want to
achieve. However, this means that something else
has to serve them for Apache and this is
generally done via some sort of script file that
checks the authentication and then sends the
requested image file. Apache can't serve anything
it does not know how to get to and putting the
files outside of the server root structure will
prevent Apache from finding those files.
There are open source applications that do
exactly what you want, the files get served by
the scripts and are not directly accessible via
the web URL space. Do a little searching and you
can find examples of this sort of script.
So in summary, Apache by itself cannot do what
you want. You have to do some scripting or
install an application somebody else wrote that will do it.
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] image folder outside the root....how to access
it ?
Posted by "Mark A. Craig" <ma...@gmail.com>.
A good example of what Dragon talked about is the server scripting used by
image-hosting sites like ImageAvenue.com, whose specific goal is to prevent
direct access to the files themselves.
Mark
-------- Original Message --------
Subject: Re: [users@httpd] image folder outside the root....how to access it ?
From: Dragon <dr...@crimson-dragon.com>
To: users@httpd.apache.org
Date: Wednesday, September 26, 2007 01:33:27 PM
>
> Third, putting the image files outside the server root prevents them
> from being served by Apache directly, this really is what you want to
> achieve. However, this means that something else has to serve them for
> Apache and this is generally done via some sort of script file that
> checks the authentication and then sends the requested image file.
> Apache can't serve anything it does not know how to get to and putting
> the files outside of the server root structure will prevent Apache from
> finding those files.
>
> There are open source applications that do exactly what you want, the
> files get served by the scripts and are not directly accessible via the
> web URL space. Do a little searching and you can find examples of this
> sort of script.
>
> So in summary, Apache by itself cannot do what you want. You have to do
> some scripting or install an application somebody else wrote that will
> do it.
>
> Dragon
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org