httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rachel Anderson-Barrios <rbarr...@fimacsolutions.com>
Subject Re: [users@httpd] image folder outside the root....how to access it ?
Date Thu, 27 Sep 2007 15:32:08 GMT
>>From the sounds of it, you are required to use a web application to do
what you want to do.  It doesn't have to be PHP.  You can use cgi
scripts, ASP, tomcat with java, or ...

Make a script or a page which will do two things.  First, validate the
user, check that they are logged in payed, etc.  Second, parses a
parameter to allow the image to be displayed on the page.  Say, for
example, the url is "www.domain.com/show_picture.cgi?id=sunset.jpg"
show_picture.cgi will first check that the user exists, if so, will
display sunset.jpg (from whatever folder sunset.jpg is in).

Now, you do raise a point, a user could view the source and see the
exact location of sunset.jpg.  Well, there are a few other
possibilities.

You don't need your pictures to be in a "images" directory, it can be
called anything you want.  You could put it under
"www.domain.com/sept_2007/another_sud_directory/123654123654/here"  Once
a user has viewed a picture, the server in the background can move it to
a new location.  For this, you may want to keep a database of where the
pictures are located.

Another thing you could to is only display your photos through an
embedded object. For example, make little flash files out of your
pictures.  Have the flash program check that you are logged in, etc. 
Then you wouldn't need to move them around, or do anything else.

Sincerely,
-Rachel

PS.  This is my initial impression, there are probably many other ways
to do what you want, but you will need the help of a programed
application to do so.

On Wed, 2007-09-26 at 14:05, Daniel Yaÿfffffffffff1ez wrote:
> Ok so I will use a dirty example since maybe this will be more clear. Lets asume that
I cannot put images outside the root of my domain for the purposes that you explain. that
only leaves me the option of using normal folders (ex. www.domain.com/images) to put my images
in. Lets say Im running an ADULT website, where users have to pay to register, and then login
to get access to the private pages. I am using php and sessions to verify that indeed the
user exists in my database and that he is a valid user. Everything is perfect here. I then
forward the user to a secure page. This secure verifies the existance of a valid session,
and if so, then displays the content. If the session is not valid then it will redirect the
user to another page asking him to login or whatever. This secure page contains a gallery
of a beautifull girl. A gallery with pictures only registered members are allowed to see.
one of the pictures has a url for example 
>  www.domain.com/images/kellyNaked.jpg. The registered user that is allowed to see that
picture, can save the picture, print the screen, download it etc. I have no control over that
I know. But my problem is that he shouldnt be able to send the link to a friend. nobody should
be able to just type: www.domain.com/images/kellyNaked.jpg and have the image opened. Otherwise,
why pay??? if a user figures out the folder structure then he could easily find the other
pictures. 
> 
> Now, all this about using a folder outside the root for private pictures was initially
suggested because other people said they actually place fils outside the root that they wanted
to be private and only be served by a page inside the server. Maybe this technique works only
for code files (.php etc). Or at least thats what everyone in this newsletter is telling me.
So then, my question was, how to deliver images (or other media files) that are supposed to
be only accessible to registered users from a folder inside my root, without having the risk
of people just linking to them directly. there is no way to prevent this obviously with any
kind of php script, or java or anything. This has to be done by something (and I assumed it
was apache) in the server. I was almost ready to start using .htaccess but then on the official
apache website: http://httpd.apache.org/docs/1.3/howto/htaccess.html they suggest not using
an .htaccess file because it slow down the
>  server plus it is insecure. 
> 
> My question to you guys now is different, what are the reccomended ways to have a secure
folder in my website that will only deliver its content to users when it is requested by a
script inside my serer? if it really has nothing to do with apache, then Im sorry, but I think
it is a combination of a server language like php and apache...maybe Im wrong, but I would
like any suggestions opinions you guys might have. 
> 
> Thanks again, and sorry for so many questions, I hope I can get the answers to my questions
or at least better ideas of where to look at. 
> Cheers !!
> 
> 
> ----- Original Message ----
> From: Boyle Owen <Owen.Boyle@swx.com>
> To: users@httpd.apache.org
> Sent: Wednesday, September 26, 2007 2:25:48 AM
> Subject: RE: [users@httpd] image folder outside the root....how to access it ?
> 
> > -----Original Message-----
> > From: Daniel Yaÿfffffffffff1ez [mailto:daniel_wachy84@yahoo.com] 
> > Sent: Wednesday, September 26, 2007 4:03 AM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] image folder outside the 
> > root....how to access it ?
> > 
> > Thanks for the Info Joshua I will read it and see what I can 
> > learn, although I have a couple things to point out. The 
> > solution Im looking for was not originally intended to stop 
> > hot linking, but simply, just as a way to have pictures in a 
> > private folders that could only be accessed by a specific 
> > user. Lets say someone uploads a picture to their private 
> > page, no body should be able to access that picture but the 
> > owner of that picture. without any kind of security anyone 
> > can type the picture folder + name and access it like this 
> > www.website.com/images/image1.jpg. 
> 
> It sounds like you are looking for "security" - ie, password-controlled access. Or, a
web application like coppermine (google for details...) 
> 
> > And so I started doing 
> > some research and I have found lots of places and articles 
> > that suggest that for my prloblem I should just use a folder 
> > outside of the root of my domain. 
> 
> This would only make sense in the context of a web application that is fetching the images
dynamically (ie, mapping the dynamic URLs to arbitrary file locations). If you have a link,
post it and I'll have a look...
> 
> > The way everyone talks 
> > about it seems like it should be a simple thing, like 
> > something that shouldnt be hard. Yet I cant do it. Just as a 
> > final note, I have been able to access files outside the 
> > root, files like .php by
> >  using include() to call those files. We where even able to 
> > open jpgs as binary and convert them back to jpgs with some 
> > php functions.
> 
> Yes - that's a PHP application that is handling the request and reading the files off
the disk. This bypasses apache so can't be emulated by apache config directives. 
> 
> > Yet we should need to do this for all the 
> > secure images in my website. I know there has to be other 
> > ways to achieve this. 
> 
> I think you are confusing server-sided web applications, like PHP, with apache. Apache
is just a web server; it gets files off disks and sends them down the wire. It can also pass
requests to other applications on the server (handlers, like PHP) and they can get data for
it, but they are not bound by or controlled  by the apache config.
> 
> You can't do what you want to do with apache alone.
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
> 
> 
> > 
> > 
> > 
> > ----- Original Message ----
> > From: Joshua Slive <joshua@slive.ca>
> > To: users@httpd.apache.org
> > Sent: Tuesday, September 25, 2007 1:22:16 PM
> > Subject: Re: [users@httpd] image folder outside the 
> > root....how to access it ?
> > 
> > 
> > On 9/25/07, Daniel Yaÿfffffffffff1ez <daniel_wachy84@yahoo.com> wrote:
> > > Hello everyone, I have been trying to make this work but so 
> > far I havent been able to successfully load an image (or 
> > other media file) that is in a folder outside the root of my 
> > domain. I initially wanted to do this in order to be able to 
> > deliver this images from code running inside my serer, but to 
> > prevent people from linking directly to the image (or file) 
> > using the address bar (example: 
> > http://www.fakedomain.com/images/image1.jpg).
> > >
> > > I know it might be possible to achieve this using an 
> > .htaccess but I heard they are a little bit unsecure plus the 
> > slow down the server. (in the apache website they reccomend 
> > not using it).
> > >
> > > My problem is that whenever I try to link to an image 
> > outise the root it simply will not work. For example lets say 
> > my fictional root folder is this one: www/var/public_html/    
> > and lets just say the index of my website then is this:    
> > www/var/public_html/index.html   now lets just say I want to 
> > put my images in a folder located outside the root, like 
> > this:    www/images/image1.jpg etc. I should be able to link 
> > to the image like this from my index.html file: 
> > ../images/image1.jpg but it doesnt work. Ive tried several 
> > combinations but nothing seems to work.
> > >
> > > My question to you guys is if you know what apache setting 
> > needs to be turned on (or off) to enable this? or how should 
> > I link to images outside the root.
> > >
> > > Thanks in advanced and I hope anyone here can help me 
> > because I have looked in a lot of places with no success. 
> > Thanks again !!!
> > >
> > 
> > You've got a fundamental problem here: If the image file is not
> > accessible from the web, then it can't be embedded in an html page. In
> > order for the image to be displayed as part of the html page, the
> > browser makes a separate request for the image that, to the server,
> > looks identical to a request for the image alone (with the important
> > exception of the content of the Referer HTTP request header). Putting
> > the images outside the root is not, in itself, a problem. You can
> > simply use an Alias to map them into the webspace so they are
> > accessible from the web. But this will not help your direct linking
> > problem.
> > 
> > Here's my suggestion: 1. Check to see if you really have a direct
> > linking problem. Is this really causing you serious problems? Can you
> > fix it just by occasionally changing the name of your image file? 2.
> > If you decide you really need to prevent hotlinking/embedding of your
> > images in external pages, use one of the suggestions here:
> > http://wiki.apache.org/httpd/DisableImageHotLinking
> > Note that neither of these require the use of .htaccess.
> > 
> > Joshua.
> > 
> > 
> >        
> > ______________________________________________________________
> > ______________________
> > Moody friends. Drama queens. Your life? Nope! - their life, 
> > your story. Play Sims Stories at Yahoo! Games.
> > http://sims.yahoo.com/  
> > 
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>  
> 
> This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more!
> http://tv.yahoo.com/collections/3658
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message