You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rachel Anderson-Barrios <rb...@fimacsolutions.com> on 2007/09/27 17:32:08 UTC
Re: [users@httpd] image folder outside the root....how to access
it ?
>>From the sounds of it, you are required to use a web application to do
what you want to do. It doesn't have to be PHP. You can use cgi
scripts, ASP, tomcat with java, or ...
Make a script or a page which will do two things. First, validate the
user, check that they are logged in payed, etc. Second, parses a
parameter to allow the image to be displayed on the page. Say, for
example, the url is "www.domain.com/show_picture.cgi?id=sunset.jpg"
show_picture.cgi will first check that the user exists, if so, will
display sunset.jpg (from whatever folder sunset.jpg is in).
Now, you do raise a point, a user could view the source and see the
exact location of sunset.jpg. Well, there are a few other
possibilities.
You don't need your pictures to be in a "images" directory, it can be
called anything you want. You could put it under
"www.domain.com/sept_2007/another_sud_directory/123654123654/here" Once
a user has viewed a picture, the server in the background can move it to
a new location. For this, you may want to keep a database of where the
pictures are located.
Another thing you could to is only display your photos through an
embedded object. For example, make little flash files out of your
pictures. Have the flash program check that you are logged in, etc.
Then you wouldn't need to move them around, or do anything else.
Sincerely,
-Rachel
PS. This is my initial impression, there are probably many other ways
to do what you want, but you will need the help of a programed
application to do so.
On Wed, 2007-09-26 at 14:05, Daniel Yaÿfffffffffff1ez wrote:
> Ok so I will use a dirty example since maybe this will be more clear. Lets asume that I cannot put images outside the root of my domain for the purposes that you explain. that only leaves me the option of using normal folders (ex. www.domain.com/images) to put my images in. Lets say Im running an ADULT website, where users have to pay to register, and then login to get access to the private pages. I am using php and sessions to verify that indeed the user exists in my database and that he is a valid user. Everything is perfect here. I then forward the user to a secure page. This secure verifies the existance of a valid session, and if so, then displays the content. If the session is not valid then it will redirect the user to another page asking him to login or whatever. This secure page contains a gallery of a beautifull girl. A gallery with pictures only registered members are allowed to see. one of the pictures has a url for example
> www.domain.com/images/kellyNaked.jpg. The registered user that is allowed to see that picture, can save the picture, print the screen, download it etc. I have no control over that I know. But my problem is that he shouldnt be able to send the link to a friend. nobody should be able to just type: www.domain.com/images/kellyNaked.jpg and have the image opened. Otherwise, why pay??? if a user figures out the folder structure then he could easily find the other pictures.
>
> Now, all this about using a folder outside the root for private pictures was initially suggested because other people said they actually place fils outside the root that they wanted to be private and only be served by a page inside the server. Maybe this technique works only for code files (.php etc). Or at least thats what everyone in this newsletter is telling me. So then, my question was, how to deliver images (or other media files) that are supposed to be only accessible to registered users from a folder inside my root, without having the risk of people just linking to them directly. there is no way to prevent this obviously with any kind of php script, or java or anything. This has to be done by something (and I assumed it was apache) in the server. I was almost ready to start using .htaccess but then on the official apache website: http://httpd.apache.org/docs/1.3/howto/htaccess.html they suggest not using an .htaccess file because it slow down the
> server plus it is insecure.
>
> My question to you guys now is different, what are the reccomended ways to have a secure folder in my website that will only deliver its content to users when it is requested by a script inside my serer? if it really has nothing to do with apache, then Im sorry, but I think it is a combination of a server language like php and apache...maybe Im wrong, but I would like any suggestions opinions you guys might have.
>
> Thanks again, and sorry for so many questions, I hope I can get the answers to my questions or at least better ideas of where to look at.
> Cheers !!
>
>
> ----- Original Message ----
> From: Boyle Owen <Ow...@swx.com>
> To: users@httpd.apache.org
> Sent: Wednesday, September 26, 2007 2:25:48 AM
> Subject: RE: [users@httpd] image folder outside the root....how to access it ?
>
> > -----Original Message-----
> > From: Daniel Yaÿfffffffffff1ez [mailto:daniel_wachy84@yahoo.com]
> > Sent: Wednesday, September 26, 2007 4:03 AM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] image folder outside the
> > root....how to access it ?
> >
> > Thanks for the Info Joshua I will read it and see what I can
> > learn, although I have a couple things to point out. The
> > solution Im looking for was not originally intended to stop
> > hot linking, but simply, just as a way to have pictures in a
> > private folders that could only be accessed by a specific
> > user. Lets say someone uploads a picture to their private
> > page, no body should be able to access that picture but the
> > owner of that picture. without any kind of security anyone
> > can type the picture folder + name and access it like this
> > www.website.com/images/image1.jpg.
>
> It sounds like you are looking for "security" - ie, password-controlled access. Or, a web application like coppermine (google for details...)
>
> > And so I started doing
> > some research and I have found lots of places and articles
> > that suggest that for my prloblem I should just use a folder
> > outside of the root of my domain.
>
> This would only make sense in the context of a web application that is fetching the images dynamically (ie, mapping the dynamic URLs to arbitrary file locations). If you have a link, post it and I'll have a look...
>
> > The way everyone talks
> > about it seems like it should be a simple thing, like
> > something that shouldnt be hard. Yet I cant do it. Just as a
> > final note, I have been able to access files outside the
> > root, files like .php by
> > using include() to call those files. We where even able to
> > open jpgs as binary and convert them back to jpgs with some
> > php functions.
>
> Yes - that's a PHP application that is handling the request and reading the files off the disk. This bypasses apache so can't be emulated by apache config directives.
>
> > Yet we should need to do this for all the
> > secure images in my website. I know there has to be other
> > ways to achieve this.
>
> I think you are confusing server-sided web applications, like PHP, with apache. Apache is just a web server; it gets files off disks and sends them down the wire. It can also pass requests to other applications on the server (handlers, like PHP) and they can get data for it, but they are not bound by or controlled by the apache config.
>
> You can't do what you want to do with apache alone.
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
>
>
> >
> >
> >
> > ----- Original Message ----
> > From: Joshua Slive <jo...@slive.ca>
> > To: users@httpd.apache.org
> > Sent: Tuesday, September 25, 2007 1:22:16 PM
> > Subject: Re: [users@httpd] image folder outside the
> > root....how to access it ?
> >
> >
> > On 9/25/07, Daniel Yaÿfffffffffff1ez <da...@yahoo.com> wrote:
> > > Hello everyone, I have been trying to make this work but so
> > far I havent been able to successfully load an image (or
> > other media file) that is in a folder outside the root of my
> > domain. I initially wanted to do this in order to be able to
> > deliver this images from code running inside my serer, but to
> > prevent people from linking directly to the image (or file)
> > using the address bar (example:
> > http://www.fakedomain.com/images/image1.jpg).
> > >
> > > I know it might be possible to achieve this using an
> > .htaccess but I heard they are a little bit unsecure plus the
> > slow down the server. (in the apache website they reccomend
> > not using it).
> > >
> > > My problem is that whenever I try to link to an image
> > outise the root it simply will not work. For example lets say
> > my fictional root folder is this one: www/var/public_html/
> > and lets just say the index of my website then is this:
> > www/var/public_html/index.html now lets just say I want to
> > put my images in a folder located outside the root, like
> > this: www/images/image1.jpg etc. I should be able to link
> > to the image like this from my index.html file:
> > ../images/image1.jpg but it doesnt work. Ive tried several
> > combinations but nothing seems to work.
> > >
> > > My question to you guys is if you know what apache setting
> > needs to be turned on (or off) to enable this? or how should
> > I link to images outside the root.
> > >
> > > Thanks in advanced and I hope anyone here can help me
> > because I have looked in a lot of places with no success.
> > Thanks again !!!
> > >
> >
> > You've got a fundamental problem here: If the image file is not
> > accessible from the web, then it can't be embedded in an html page. In
> > order for the image to be displayed as part of the html page, the
> > browser makes a separate request for the image that, to the server,
> > looks identical to a request for the image alone (with the important
> > exception of the content of the Referer HTTP request header). Putting
> > the images outside the root is not, in itself, a problem. You can
> > simply use an Alias to map them into the webspace so they are
> > accessible from the web. But this will not help your direct linking
> > problem.
> >
> > Here's my suggestion: 1. Check to see if you really have a direct
> > linking problem. Is this really causing you serious problems? Can you
> > fix it just by occasionally changing the name of your image file? 2.
> > If you decide you really need to prevent hotlinking/embedding of your
> > images in external pages, use one of the suggestions here:
> > http://wiki.apache.org/httpd/DisableImageHotLinking
> > Note that neither of these require the use of .htaccess.
> >
> > Joshua.
> >
> >
> >
> > ______________________________________________________________
> > ______________________
> > Moody friends. Drama queens. Your life? Nope! - their life,
> > your story. Play Sims Stories at Yahoo! Games.
> > http://sims.yahoo.com/
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
>
> ____________________________________________________________________________________
> Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more!
> http://tv.yahoo.com/collections/3658
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] image folder outside the root....how to
access it ?
Posted by Dragon <dr...@crimson-dragon.com>.
Rachel Anderson-Barrios wrote:
> >From the sounds of it, you are required to use a web application to do
>what you want to do. It doesn't have to be PHP. You can use cgi
>scripts, ASP, tomcat with java, or ...
>
>Make a script or a page which will do two things. First, validate the
>user, check that they are logged in payed, etc. Second, parses a
>parameter to allow the image to be displayed on the page. Say, for
>example, the url is "www.domain.com/show_picture.cgi?id=sunset.jpg"
>show_picture.cgi will first check that the user exists, if so, will
>display sunset.jpg (from whatever folder sunset.jpg is in).
>
>Now, you do raise a point, a user could view the source and see the
>exact location of sunset.jpg. Well, there are a few other
>possibilities.
>
>You don't need your pictures to be in a "images" directory, it can be
>called anything you want. You could put it under
>"www.domain.com/sept_2007/another_sud_directory/123654123654/here" Once
>a user has viewed a picture, the server in the background can move it to
>a new location. For this, you may want to keep a database of where the
>pictures are located.
>
>Another thing you could to is only display your photos through an
>embedded object. For example, make little flash files out of your
>pictures. Have the flash program check that you are logged in, etc.
>Then you wouldn't need to move them around, or do anything else.
>
>Sincerely,
>-Rachel
>
>PS. This is my initial impression, there are probably many other ways
>to do what you want, but you will need the help of a programed
>application to do so.
---------------- End original message. ---------------------
Actually, this is almost right but not quite.
If you want the files served securely, they should NOT be located
anywhere within the document root tree.
The script itself would retrieve the file from where it lives outside
the server root and forward it to the browser. The URL for the image
would be a call to the CGI script and not a direct link to the image
itself. CGI is not limited to serving HTML, you can serve any file
type you want by providing the appropriate content type and
disposition headers.
For instance, in one of the applications I am working on, there is an
option for a logged-in user with appropriate privileges to access a
PDF file. This file is generated on the fly from the database and it
never resides as an actual file on the file system. You can do the
same thing with images. They can be stored in a database or anywhere
on the file system and served solely by the application script.
In short, the application script acts as a proxy to Apache to serve
the content. Apache simply invokes the script under the CGI mechanism
and then "gets out of the way" while the script does what it is supposed to do.
Unfortunately, this is no longer really a discussion about Apache and
is thus drifting off topic. There are many good books and tutorials
out there on how to write web applications. Those resources are a
better place to turn at this time than this list.
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org