Force a file or image to download using .htaccess - .htaccess

I have been trying to force images to download using PHP Headers but there have been multiple problems.
So, instead, how can I use .htaccess so that when I link to an image like:
Download
...instead of opening that file in browser, the file is actually downloaded and saved to the user's computer.
I am already using .htaccess in my project to rewrite URLs if that affects anything.

Put this into your .htaccess
<FilesMatch "\.(?i:jpg|gif|png)$">
Header set Content-Disposition attachment
</FilesMatch>
Make sure you have mod_headers installed and enabled.

Related

Access files outside of webroot through alias and .htaccess rule

I need to make PDF files that are stored in a folder (with subfolders) outside of the web root publically accessible by a plain URL. An alias has been created in Apache that leads this folder so what I need now is a redirect rule in .htaccess to make this work.
I have this alias: https://www.examplesite.com/certificate
The URLs that will be used to access these PDFs are for example: https://www.examplesite.com/certificate/2018/LGOIGD9E9345034GJERGJER.PDF
https://www.examplesite.com/certificate/2017/GSDFJGLKJNL345L34LSNFLSD.PDF
How should I format my redirect rule in .htaccess to decide if the file is to be downloaded or viewed in the browser?
Sorry about the noise, I found the answer by myself:
<FilesMatch "\.pdf$">
ForceType applicaton/octet-stream
Header set Content-Disposition attachment
</FilesMatch>

Why is gzip not working on pub/static folder?

I am currently running Magento 2.1.14 and have enable gzip per the Magento documentation as well as the other well visited posts on this site. I have also doubled checked with my hosting provider that Mod_deflate is enabled on the server side.
In addition, I have a copy of my site on my local machine with same htaccess files as what resides on our live server.
On my local machine, simply enabling the apache module and then adding the htaccess code in the main htaccess file of the public_html directory works. All requests on my local site show headers that contain “Content Encoding: gzip”.
However, when live using https on our server, the gzip encoding seems to stop at the pub directory. NO content coming from the pub directory (pub/static and pub/media) shows and gzip encoding. The files on my local machine and live server are the same. According to my hosting provider, gzipped is enabled on their side and they believe that is has to do with one of the htaccess files in my file tree that is stopping the gzip encoding from happening.
I did a small test recommended by our hosting provider as well, and tried to set up an extra directory in the public_html directory on both my local machine and the live server to test if the gzip encoding would work. On my local machine, I can visit the directory and the file in it shows gzip compression, but on my live server, when adding the file to my public_html directory and attempting to visit it through the browser, Magento throws a 404 error!
Does anyone out there have any idea why gzip would not waterfall through my file tree and properly gzip the js, minified js, css and minified css files that are located in the pub folder?
After days of debugging it turns out that on my live server, the RequestHeader for Set-Encoding was being stripped. This was not happening on my Apache setup on my local machine. My web host still has not give me an explanation why this was happening, nor do I know if it has to do with the htaccess file in the pub/static directory, but adding the RequestHeader set below:
<IfModule mod_headers.c>
Header set X-UA-Compatible "IE=edge"
Header set Connection keep-alive
#THE LINE BELOW THIS COMMENT
RequestHeader set Accept-Encoding "gzip, deflate, br"
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-UA-Compatible
</FilesMatch>
to the htaccess file in the root of my magento site fixed the issue with the compression.
If this is a server issue, I would like someone to comment below on what I might bring up with my webhost to address this. Otherwise, I'm going to submit an issue to the Magento github.
Very strange issue,
deflate mode included in .htaccess of pub/static
bat not for all file types,
javascript files not added to setting
so,
just edit pub/static/.htaccess
and edit row with start - AddOutputFilterByType DEFLATE
and add content type -
text/javascript application/javascript application/x-javascript application/json image/svg+xml
now, all static content will with gzip.
Strange, why was missed this,
maybe for other features ?

How to Force Download files via .htaccess

I am trying to make my site "www.suruleretv.co" files like mp3, mp4 to force download instead of streaming.
I've tried to add some codes in find online via .htaccess but am getting error after adding it.
<FilesMatch "\.mp3$">
ForceType application/octet-stream
Header set Content-Disposition attachment
</FilesMatch>
it would help if you could add your code to the question, to clarify what you want and to identify what the issue is.
However, if you want to force files to be downloaded, adding the following in your .htaccess should be enough:
<FilesMatch "\.(mp3|mp4)$">
ForceType application/octet-stream
Header set Content-Disposition attachment
</FilesMatch>
Please keep in mind, that if you only add this part and have nothing else in it, you will have to save your .htaccess file in the same directory as the downloadeable files. It won't work for subfolders, without adding more rules.

How can I prevent scripts from running inside a directory?

I have a files directory for my image storage in my web root folder, i want to know how to secure that folder. i prevent people from uploading scripts to that folder, i check file extensions, if it is not an image then it will not save to that folder.
but faking extensions are done easily, what happens if someone manage to upload a script to my files directory and access that from the browser
so i need a way to prevent scripts from running inside that folder and only allow images to run.
i know htaccess can do that but i dont know how to set it up. my .htaccess file is like this:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
ForceType application/octet-stream
<FilesMatch "(?i)\.(gif|jpe?g|png)$">
ForceType none
</FilesMatch>
Options All -Indexes
but it is not working, i saved a php file in that folder then tried to accessed it from the browser and i can still access it. do you know how to make this work? or if you have more secure approach to this, please tell me.
thank you
I think that it isn't working because you have only added an extra handler, you haven't removed the other handlers.
It is easiest to put another .htaccess file in the folder you want to protect (rather than messing with the match directive) that contains:
# Fix PHP, you should do matching commands for JSP and ASP, & html
RemoveType application/x-httpd-php php
# .... add the other remove-handler statements here .... #
# Optionally make these equivalent to text files.
# UPDATE: Taken this out as you dont want people to see PHP files at all
#AddType text/html php
# To disable cgi and server side includes & indexes
# You need to check the setup of Apache, some of the file types
# listed should already be handled as CGI (.pl, .py, .sh)
Options -ExecCGI -Includes -Indexes
# Completely block access to PHP files
<FilesMatch "\.(php|phps|html|htm|jsp|asp)$">
Order allow,deny
Deny from all
</Files>
# Add in any additional types to block
That covers PHP and CGI, you should do matching commands for JSP and ASP
UPDATE: Added code to completely block access to PHP files - sorry, thought initially that you simply didn't want them executing. Also note that I've commented out the line that turns PHP files into text files.

How do I force the browser download all file types in a directory using .htaccess?

How would I tell the browser to force download all file types in a directory instead of rendering them inside the browser?
I've tried this but it didn't work.
<Files *.*>
ForceType applicaton/octet-stream
</Files>
This would be better tasked with:
<Files *.*>
Header set Content-Disposition attachment
</Files>
I use this with a FilesMatch instead of Files. Below is an example with text-based files
<FilesMatch "\.(?i:doc|odf|pdf|rtf|txt)$">
Header set Content-Disposition attachment
</FilesMatch>
I'm not sure that is possible. But you can use a mod_rewrite to a .php file with the file name in the GET part of the URL. Then extract the file name and force a download through that. If you want some download code, just ask

Resources