How to disable files to load from an external URL? - .htaccess

I have a website that have some files that are accessed publicly. Anyone can download them.
I have discovered lately that a website has added links to these files. With this way they claim ownership of them and they consume my bandwidth since they fetch them from my server.
How can i block other websites to refer to my website files?
I don't care if this files are not crawled by Google since now i refer to them using the rel="nofollow"
Can anyone suggest a solution.

What you are looking for is preventing deeplinking of contents on your website. Try the following in appache httpd.conf file it will creates a failed request when hot linking of the specified file types occurs.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css|<whatever extensions you want to block>)$ - [F]
If the content you want to block is generated dynamically using some programming language, you can check if the referrer header matches your domain and then continue the processing of the request.
JAVA
"http://www.example.com".equals(request.getHeader("referer"));
PHP
$_SERVER['HTTP_REFERER']=="http://www.example.com"

Related

How prevent unhautorized access to file with htaccess

how i can:
ALLOW access to file from website
AND
DENY access to file from all which external to website
Using HTACCESS ?
For example website is stored in a webspace associated to domain: xxx.xx.
Inside a webpage i have a link as:
LINK
And:
Clicking on LINK then start video correctly
BUT
Typing from url (for example): http://www.xxx.xx/video/example.mp4 need return error 403 (denied access) blocking so playing and/or download of file: example.mp4
Thanks for help.
Since it is not easy to write a rule in comments, I am providing a rule which blocks access to a mp4 file based on HTTP_REFERER header value:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?xxx\.xx/ [NC]
RewriteRule ^video/example\.mp4$ - [F,NC]
However keep in mind that clients can spoof HTTP_REFERER header.

How to rewrite rule based on folder and file type in htaccess?

I have been trying to implement a rewrite rule for a downloads folder so that I can serve files that end with .gif, .jpg, .png, .css, .js or .swf and send users to user.php for every other file.
For example: I should hit this URL : www.somewhere.com/downloads/mypic.jpg,
but when I try : www.somewhere.com/downloads/my.pdf I should be redirected to user.php.
So far, I have :
RewriteRule ^*/downloads//!(.*)\.(gif|jpg|png|jpeg|css|js|swf)$ /base/user.php?a=$1 [R=302,L]
Here are some samples for expected behaviour :
good
www.somewhere.com/downloads/mypic.jpg
www.somewhere.com/downloads/otherpic.png
www.somewhere.com/downloads/scripts/jquery.js
bad
www.somewhere.com/downloads/my.pdf > send the request to www.somewhere.com/base/user.php
www.somewhere.com/downloads/readme.txt > send the request to www.somewhere.com/base/user.php
www.somewhere.com/downloads/postman.json > send the request to www.somewhere.com/base/user.php
This probably is what you are looking for:
RewriteEngine on
RewriteRule ^/?downloads/([^/]+)\.(gif|jpg|png|jpeg|css|js|swf)$ /base/user.php?a=$1 [R=302]
The above rule will redirect the browser, so change the visible URL. That is what you suggest yourself in your question. In case you want to implement an internal rewriting instead you need to alter the flag slightly:
RewriteEngine on
RewriteRule ^/?downloads/([^/]+)\.(gif|jpg|png|jpeg|css|js|swf)$ /base/user.php?a=$1 [END]
This rule will work in the http servers host configuration and likewise in dynamic configuration files (.htaccess). Obviously the rewriting modules must be enabled in your http server. If you decide to use a dynamic configuration you need to enable its interpretation first, take a look at the AllowOverride directive in the official documentation for that.
And a general hint: you should always prefer to place such rules inside the http servers (virtual) host configuration instead of using dynamic configuration files (.htaccess style files). Those files are notoriously error prone, hard to debug and they really slow down the server. They are only supported as a last option for situations where you do not have control over the host configuration (read: really cheap hosting service providers) or if you have an application that relies on writing its own rewrite rules (which is an obvious security nightmare).
In your modification of the question it becomes clear that what you try to implement actually is the opposite of what you apparently asked before. Here is a modified version of the above rule:
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/downloads/[^/]+\.(gif|jpg|png|jpeg|css|js|swf)$
RewriteRule !^/?downloads/([^/]+\.\w+)$ /base/user.php?a=$1 [R=302]
And another general remark: often it makes more sense to not grant any access directly to files in the server side physical file system but to implement a router script instead which controls access to all such files. This allows for more fine grained access control and keeps the physical layout separated from the URL set you define.
Have this rule inside downloads/.htaccess file (create it if it doesn't exist):
RewriteEngine On
RewriteCond %{REQUEST_URI} !\.(gif|png|jpe?g|css|js|swf)$ [NC]
RewriteRule .* /base/user.php?a=$0 [R=302,L,NC,QSA]
I decided to redirect, when a request to a forbidden extension exists. This worked for me :
RewriteRule ^/downloads/(..(pdf|txt|json))$ /base/user.php?a=$0 [R=302,L]

File restriction to specific page

I'm trying to make a file only accessible when you're on a specific page.
Like download.php, the user can click a link to the file and the download starts without problems.
But if you go to the link in the browser directly it should not work.
Could I use .htaccess for this? or how would I do this?
This is possible with .htaccess by checking for the ${HTTP_REFERER}, which is the previous url you were on.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.example.com/download.php
RewriteRule myFile.zip - [R=403,L]
This checks if the previous page was download.php, otherwise it rewrites the request for myFile.zip to a 403 error page.
Note that it is possible to forge a referer by intercepting / creating your own request. This does not provide 100% security.

Use htaccess to only allow one page to access video

I have a folder on my site which contains several mp4 files. I have a php page on my site which is used to play those mp4 videos. I am new to htaccess and what I need is an htaccess that allows my videowindow.php to access the mp4 files but prevent access to those files if not from videowindow.php
Basically unless the video is being accessed by videowindow.php the video can not be accessed. I tried several examples I found here and there but none of them seem to work. Most of them deny access to the video files completely so they can't even be accessed by my own videowindow.php file.
Any help on this is appreciated.
You can do this by checking the HTTP "Referer" request field, but this in no way guarantees any access restrictions. The referer field can be easily forged.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://your-domain\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} !videowindow\.php$
RewriteRule \.mp4$ - [L,F]
This will make it so if a referer doesn't start with your domain and doesn't end with videowindow.php, then any access to mp4's will result in a 403 forbidden response.

htaccess - redirect all requests within subdirectory, except if a requested file exists

I'm developing an app in php, and I need to set up a pretty broad .htaccess redirect. I did some reading and tried to write the RewriteConds myself, but it's a bit above my paygrade - I'm hoping someone with more experience can help. Here's what I'm trying to accomplish:
The app is contained in www.example.com/app/. Don't redirect anything above this directory.
Some files exist in this directory that will need to be accessed. Currently these are /app/includes/* and /app/sb_pages/*. This will change and expand in the future, so I need an elegant solution that encompasses all existing files. It's fine if the redirect triggers within these directories when a file isn't found - all I care about is being able to access the files within without the redirect triggering.
All other requests should be redirected to /app/index.php, with the trailing url passed in the querystring. For example, a request to /app/path1/path2/ should redirect to /app/index.php?path=path1/path2/
The redirect should not be transparent. When the user requests /app/path1/path2/, I want them to believe they have remained there. They should not see the url change to /app/index.php?path=path1/path2/.
Just for added clarity, here's a few cases to elaborate:
/app/includes/sidebar.php should not redirect.
/app/includes/nothing.html does not exist - redirect is OK
/app/path1/path2/ should redirect to /app/index.php?path=path1/path2/. User should still see their current URL as /app/path1/path2/.
I hope I've explained it clearly and pre-empted most questions. If you need clarification, please don't hesitate to ask. Thanks in advance for the help!
Try adding this to your .htaccess file in your document root:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^app/(.*)$ /app/index.php?path=$1 [L,QSA]
Note that if you want accesses to existing directories (as opposed to files) to also not be redirected, add a RewriteCond %{REQUEST_FILENAME} !-d above the rule.

Resources