You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Nina P. Gregorev" <gr...@amnh.org> on 2009/08/09 17:01:37 UTC
[users@httpd] restrict access to files
Hello,
How can I restrict access to files when accessed via the url link?
I have image files that should be viewable within the site but shouldn't
be viewable when a user type in the full url in the browser.
Thank you.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] restrict access to files
Posted by Evan Platt <ev...@espphotography.com>.
At 11:54 AM 8/9/2009, you wrote:
>Well that is called hotlinking :)
>
>if the uri is accessed and does not come from "" or the own domain
>it's blocked, you can tweak it to include other file types than images
>and disallow empty referrals as well.
Then I totally misunderstood. I thought it only blocked say me on
www.someotherdomain.com putting an image from www.example.com . :)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] restrict access to files
Posted by Jorge Schrauwen <jo...@gmail.com>.
Well that is called hotlinking :)
if the uri is accessed and does not come from "" or the own domain
it's blocked, you can tweak it to include other file types than images
and disallow empty referrals as well.
~Jorge
On Sun, Aug 9, 2009 at 7:38 PM, Evan Platt<ev...@espphotography.com> wrote:
> At 10:13 AM 8/9/2009, you wrote:
>>
>> This wiki article can be adapted to include other things than images as
>> wel.
>> http://wiki.apache.org/httpd/DisableImageHotLinking
>
> I believe what the OP was asking was that say there's
> www.example.com/image.jpg . If you type that URL in, you shouldn't be able
> to see the image.
> But, if www.example.com/image.jpg is a picture on www.example.com/index.html
> you should be able to see the picture if you go to
> www.example.com/index.html
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] restrict access to files
Posted by Evan Platt <ev...@espphotography.com>.
At 10:13 AM 8/9/2009, you wrote:
>This wiki article can be adapted to include other things than images as wel.
>http://wiki.apache.org/httpd/DisableImageHotLinking
I believe what the OP was asking was that say there's
www.example.com/image.jpg . If you type that URL in, you shouldn't be
able to see the image.
But, if www.example.com/image.jpg is a picture on
www.example.com/index.html you should be able to see the picture if
you go to www.example.com/index.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] restrict access to files
Posted by Jorge Schrauwen <jo...@gmail.com>.
This wiki article can be adapted to include other things than images as wel.
http://wiki.apache.org/httpd/DisableImageHotLinking
~Jorge
On Sun, Aug 9, 2009 at 5:01 PM, Nina P. Gregorev<gr...@amnh.org> wrote:
> Hello,
>
> How can I restrict access to files when accessed via the url link?
>
> I have image files that should be viewable within the site but shouldn't
> be viewable when a user type in the full url in the browser.
>
> Thank you.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: restrict access to files
Posted by Nicholas Sherlock <n....@gmail.com>.
Nina P. Gregorev wrote:
> How can I restrict access to files when accessed via the url link?
>
> I have image files that should be viewable within the site but shouldn't
> be viewable when a user type in the full url in the browser.
This is essentially impossible, unless you can control your client base.
The typical solution is "hotlinking protection", where requests are
rejected if their referrer is set to somebody else's website. It allows
requests which have _no_ referral information to pass because it's very
unlikely these requests came from another website.
To solve the problem with your situation, you'd have to reject all
requests whose referrer was for another website, _or was absent_ (since
entering the URL manually sends no referral information). This is a
problem because _many_ clients use privacy software that will remove
referral information from their requests for images embedded in your
webpages. For instance, I think one of the popular Norton security
programs does this, many visitors probably don't even know it's on their
computer.
So if you solve your problem, those clients will never be able to see
the images on your website.
Cheers,
Nicholas Sherlock
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org