Allow accessing a file only from specific URL in HTACCESS - .htaccess

I have no idea how to block entering to a specific file from every one except one website. I Have 2 websites, one with my website and other that I can upload to him any thing I want to. I want to allow image uploading to my website, but really it will upload the image to the other website, using AJAX. But I don't want people to be able to use the AJAX code for their sites too, I want that the other website will allow image uploading (AKA accessing to the PHP upload file) only from the first website.
I do not know how to use HTACCESS, I know only the basic, so here is an a example in PHP (and please help me to 'translate' it to HTACCESS):
<?php
if($_SERVER[REQUEST_URI] == "/images/uploads/EXAMPLE" && $from != "http://www.example.com"){ // $from = from where the ajax request were sent.
header("location: 403.html");
}
?>

You can give this a try, put the content below in your .htaccess file:
SetEnvIf Referer my-domain.com internal
#
<Files *>
order Deny,Allow
Deny from all
Allow from env=internal
</Files>
Put the .htaccess file in website where you upload the image to. My-Domain.com is the domain that you would like to have access to the images.
Note: This is not tested

Related

Preventing indexing of PDF files with htaccess

I have a ton of PDF files in different folders on my website. I need to prevent them from being indexed by Google using .htaccess (since robots.txt apparently doesn't prevent indexing if other pages link to the files).
However, I've tried adding the following to my .htaccess file:
<Files ~ "\.pdf$">
Header append X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"
</Files>
to no avail; the PDF files still show up when googling "site:mysite.com pdf", even after I've asked Google to re-index the site.
I don't have the option of hosting the files elsewhere or protecting them with a login system; I'd really like to simply get the htaccess file to do the job. What am I missing?
As I see in the comment made on another answer, I understand that
you are looking for removing indexed file/folder which is already done by google. You can temporary forbid it using following if you stop anyone accessing directly.
First, let me give you a workaround
after that I will let you know what you can do which will be taking bit longer time.
<Files "path/to/pdf/* ">
Order Allow,Deny
Deny from all
Require all denied
</Files>
this way all files/folders inside the given directory will be forbidden to use in the HTTP method. This means you can only access it programmatically for sending in attachment or deleting or something but the user will not be able to view these.
You can make a script on your serverside which will access file internally and show file using parsing instead direct URL.(assuming data is critical as of now).
Example
$contents = file_get_contents($filePath);
header('Content-Type: ' . mime_content_type($filePath));
header('Content-Length: ' . filesize($filePath));
echo $contents;
Indexing vs Forbidding (No need of this now)
Preventing indexing basically prevent this folder/files to be index by google bots or search engine bots, anyone visiting directly will still be able to view the file.
In the case of Forbidding, no external entity/users/bots will able to see/access this file/folder.
If you have recently forbidden access of your pdf folder, it may still be visible to Google until Googlebot visits again on your site and find those missing or you mention noindex for that specific folder.
You can read more about crawler rate on https://support.google.com/webmasters/answer/48620?hl=en
If you still want these to remove, you can visit the Google search console and request the same. visit: https://www.google.com/webmasters/tools/googlebot-report?pli=1
Just paste this in your htaccess file, use set instead of append
<Files ~ "\.pdf$">
Header set X-Robots-Tag "noindex, nofollow"
</Files>

.htaccess limit file to script access

I am extremely new to the concept of .htaccess, and I wanted to know how I could use it to allow a file to be used on a script on a .html file in the same directory as the .htaccess and the file. However, if you try to navigate to the file instead of viewing the script on the .html file, I would like it to be blocked. Thanks!
Update: Please see below comments!
Update 2: It seems that there is no way to achieve what I wished. That's ok, though. I just used a bunch of obfustication, and that seems to work well.
You are wanting to restrict access to a (script)file using htaccess so that a visitor can't directly link to the script file. Assuming this is working like described the visitor would load the HTML-file, the HTML-file would render and request the scriptfile....which will be blocked. So this isn't the way to go I reckon.
I would suggest changing the HTML-file to PHP when possible and include the script with a php include/require. This way the server-side code will determine what content is served.
Once you're including the file server-side you can prevent direct access to the file using htaccess by placing the code below inside your htaccess:
#Prevent Users From Accessing .inc* files in .htaccess
<Files ~ ".inc">
Order allow,deny
Deny from all
</Files>
In the above example direct access to .inc-files will be denied. Change this file-extension to your needs.
Inside your index.php file you'll need to include the file containing your script with something like:
include 'filewithscript.inc';
This should solve your problem.

How do I provide a local download link to files denied by htaccess

Users who log in to an admin area of a website need to be able to download files that have been previously uploaded by other admins. Public access to these files is not allowed.
The files are held in a directory called uploaded-files and there is a .htaccess in that folder:
<FilesMatch "\.(pdf|doc|docx|ods|xls|xlsx|ppt)$">
Order deny,allow
Deny from all
Allow from localhost
</FilesMatch>
That seems to work ok.. The public can't link to the files. The trouble is that the logged in admins can't link to them either because:
<a href"uploaded-files/abc.pdf">download</a>
gives a 403 forbidden when clicked. So it seems php/html files on the server can't access the files either.
What am I doing wrong? Surely there is an easy way to allow people on the server to download files via a link but still deny access to public?
I've tried keeping the files outside the public_html but I can't provide a link to that location either :(
You should keep these files outside your DOCUMENT_ROOT.
Download links should be via a PHP file e.g. <a href"http://domain.com/download-files.php?file=abc.pdf">download abc.pdf</a>
php code can check for auth part and allowed host etc. If all validations pass then return content of PDF with proper CONTENT type to the browser.

I need to prevent the files that are on my drupal website from beeing downloaded from outside even when they're on public nodes

I've set this in a .htaccess
ErrorDocument 403 http://websiteip.fr/fonds-spe/document-indisponible
order deny,allow
deny from all
allow from websiteip
allow from 127.0.0.1
allow from localhost
That .htaccess works : each time I'm trying to download a file via the "Apache" URL, I got the Error Document - that's ok.
BUT
with that, even Drupal can't access the files to display or play them (some are videos or sounds).
For example, on a node with an image in it, I got This image failed to load.
Any idea suggestion welcome
Each client will have a different public IP ... .htaccess is not the way to accomplish this. You'd be better suited modifying Drupal (via module) . Keep in mind however, if it plays on the screen or through the speakers, it can be recorded /downloaded /etc.
We use the Private Upload module on our site to protect files from being downloaded.
http://drupal.org/project/private_upload

stop accessing website content from other domain

how can i stop accessing my website content [like image,swf,pages etc.] from other domain?
suppose my server has a myflash.swf file in my server with live url http://www.mydomain.com/flash/myflash.swf . i want this flash can't be accased by any other domain using the live url. is it possable?
thanks in advance.
If its HotLinking that you wish to disable, these links may help you:
Htaccess Disable Hotlinking Code Generator
Disable Hot-Linking of images and other files
There is a HTTP header called referrer. It usually contains the site which request your swf to download.
When the Referrer value matches your domain name name, you can serve the content. Otherwise reject it.

Resources