You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Nina P. Gregorev" <gr...@amnh.org> on 2009/08/09 17:01:37 UTC

[users@httpd] restrict access to files

Hello,

How can I restrict access to files when accessed via the url link?

I have image files that should be viewable within the site but shouldn't
be viewable when a user type in the full url in the browser.

Thank you.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] restrict access to files

Posted by Evan Platt <ev...@espphotography.com>.

At 11:54 AM 8/9/2009, you wrote:
>Well that is called hotlinking :)
>
>if the uri is accessed and does not come from "" or the own domain
>it's blocked, you can tweak it to include other file types than images
>and disallow empty referrals as well.

Then I totally misunderstood. I thought it only blocked say me on 
www.someotherdomain.com putting an image from www.example.com . :) 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] restrict access to files

Posted by Jorge Schrauwen <jo...@gmail.com>.

Well that is called hotlinking :)

if the uri is accessed and does not come from "" or the own domain
it's blocked, you can tweak it to include other file types than images
and disallow empty referrals as well.

~Jorge



On Sun, Aug 9, 2009 at 7:38 PM, Evan Platt<ev...@espphotography.com> wrote:
> At 10:13 AM 8/9/2009, you wrote:
>>
>> This wiki article can be adapted to include other things than images as
>> wel.
>> http://wiki.apache.org/httpd/DisableImageHotLinking
>
> I believe what the OP was asking was that say there's
> www.example.com/image.jpg . If you type that URL in, you shouldn't be able
> to see the image.
> But, if www.example.com/image.jpg is a picture on www.example.com/index.html
> you should be able to see the picture if you go to
> www.example.com/index.html
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] restrict access to files

Posted by Evan Platt <ev...@espphotography.com>.

At 10:13 AM 8/9/2009, you wrote:
>This wiki article can be adapted to include other things than images as wel.
>http://wiki.apache.org/httpd/DisableImageHotLinking

I believe what the OP was asking was that say there's 
www.example.com/image.jpg . If you type that URL in, you shouldn't be 
able to see the image.
But, if www.example.com/image.jpg is a picture on 
www.example.com/index.html you should be able to see the picture if 
you go to www.example.com/index.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] restrict access to files

Posted by Jorge Schrauwen <jo...@gmail.com>.

This wiki article can be adapted to include other things than images as wel.
http://wiki.apache.org/httpd/DisableImageHotLinking

~Jorge



On Sun, Aug 9, 2009 at 5:01 PM, Nina P. Gregorev<gr...@amnh.org> wrote:
> Hello,
>
> How can I restrict access to files when accessed via the url link?
>
> I have image files that should be viewable within the site but shouldn't
> be viewable when a user type in the full url in the browser.
>
> Thank you.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: restrict access to files

Posted by Nicholas Sherlock <n....@gmail.com>.

Nina P. Gregorev wrote:
> How can I restrict access to files when accessed via the url link?
> 
> I have image files that should be viewable within the site but shouldn't
> be viewable when a user type in the full url in the browser.

This is essentially impossible, unless you can control your client base. 
The typical solution is "hotlinking protection", where requests are 
rejected if their referrer is set to somebody else's website. It allows 
requests which have _no_ referral information to pass because it's very 
unlikely these requests came from another website.

To solve the problem with your situation, you'd have to reject all 
requests whose referrer was for another website, _or was absent_ (since 
entering the URL manually sends no referral information). This is a 
problem because _many_ clients use privacy software that will remove 
referral information from their requests for images embedded in your 
webpages. For instance, I think one of the popular Norton security 
programs does this, many visitors probably don't even know it's on their 
computer.

So if you solve your problem, those clients will never be able to see 
the images on your website.

Cheers,
Nicholas Sherlock

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org