Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
To: users@httpd.apache.org
Message-ID: <OFF642686C.F2A16F1B-ON88256C5E.0080C2B9@notes.seagate.com>
From: Saqib.N.Ali@seagate.com
Date: Sat, 26 Oct 2002 16:31:49 -0700
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Subject: Re: [users@httpd] Hide the URL when Downloading a File


Hi Joshua,
Even if you hide the file in a area that is not accessible by WWW, the file
can be easily accessed by using the PHP file. People will just copy the PHP
file URL, and access the file like that. They don't need to know the exact
location to get the file. They will just use the PHP file to get the PDF.

One of the way to fix this problem, is to use mod_rewrite and HTTP_REFERER
var.

In Peace,
Saqib Ali
http://www.sc-icc.org:8080/cocoon/mount/docbook/

"I fear, if I rebel against my Lord, the retribution of an Awful Day (The
Day of Resurrection)" Al-Quran 6:15


> Well, that is a little bit of overkill.  You just need to store it in an
> area that is not directly accessible through the webserver.  Then you
> have your PHP script deliver it directly to the client (the equivalent
> of system('cat /path/to/file.pdf') (but don't actually do it that way!).

> But note that this solution will kill the byte-serving (page-at-a-time)
> ability of Acrobat.

> I'm not sure of any better way, other than writing your restrictions as
> an apache module.

> Joshua.


                    Saqib.N.Ali@s                                                                                          
                    eagate.com           To:     users@httpd.apache.org                                                    
                    408.456.3622         cc:                                                                               
                                         Subject:     Re: [users@httpd] Hide the URL when Downloading a File               
                    10/26/2002                                                                                             
                    03:08 PM                                                                                               
                    Please                                                                                                 
                    respond to                                                                                             
                    users                                                                                                  
                                                                                                                           
                                                                                                                           
However be careful if you are using PHP/JSP method. With the server-side
scripting method, anyone can sniff his/her internet traffic and get the
URL. One way to fix it to use HTTPS (secure http)

If you are using server level method, you wont have to worry about this.


"I fear, if I rebel against my Lord, the retribution of an Awful Day (The
Day of Resurrection)" Al-Quran 6:15


                    Saqib.N.Ali@s
                    eagate.com           To:     users@httpd.apache.org
                    408.456.3622         cc:
                                         Subject:     Re: [users@httpd]
Hide the URL when Downloading a File
                    10/26/2002
                    03:01 PM
                    Please
                    respond to
                    users


Hi Mary,
I think what you want to do is prevent people from directly linking to the
PDF files.

You can either do it on the web server level, or on the server-side
scripting level (e.g. PHP or JSP).

All you have to do is check for the referer VARIABLE.

--- Server Level:
If you want to do it on the server level, you will have to use
"mod_rewrite" module and HTTP_REFERER variable. There is a good example @
http://httpd.apache.org/docs/misc/rewriteguide.html  under the section
titled "Blocked Inline-Images". You will have slightly modify it to match
your file types.

--- Sever-based scriptting level:
Here is some sample PHP code
$referer = $HTTP_REFERER;
if($referer) {
     if (ereg("http://testbrass.web.boeing/download/", $referer))
     {
          header("Location:
http://testbrass.web.boeing/download/test.pdf");
     }
     else {
          header("Location: http://some_other.url");
     }
}
else {
header("Location: http://some_other.url");

I hope this helps.

In Peace,
Saqib Ali
http://www.sc-icc.org:8080/cocoon/mount/docbook/

"I fear, if I rebel against my Lord, the retribution of an Awful Day (The
Day of Resurrection)" Al-Quran 6:15

               (Embedded image moved to file: pic30714.jpg)


                    "Wang, Mary Y"
                    <mary.y.wang@b        To:
"'users@httpd.apache.org'" <users@httpd.apache.org>
                    oeing.com>            cc:
                    No Phone Info         Subject:     [users@httpd] Hide
the URL when Downloading a File
                    Available

                    10/25/2002
                    03:54 PM
                    Please respond
                    to users


Hi Everyone,
I have been thinking about this problem for a while, but no solution at
this
point.  I need your help!
I have some files located in a directory on the server for downloading.  I
can't really protect the directory because the user and
group id are all defaulted to "apache".

When the user is downloading a file, a href is point to the URL, it would
grab the file from http://testbrass.web.boeing/download/test.pdf.
The problem is that all my security check is done thru .php file.  On the
browser, it would show the URL as above, and
any unauthorized users could just copy that URL and get that file.  I don't
want to set up the .htaccess thing right now for my own reasons.  My
question is that
is there any way I can disguise this URL to some garbled URL, so that http
clients CAN'T see the URL and only server code
can process the correct URL?  Can I configure this in httpd.conf?

Thanks for any input!


Mary
(562) 797-1545


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org