Protecting directories with Htaccess

software development

#1

I want to store some of my files on a sub domain and then call them in when needed. I want to deny access to all but sites I am running.

I figured out how to stop hotlinking (see the commented code below) but that doesn’t prevent a user downloading it directly so I wanted to try the allow rule (hence the commenting). Some of the files will be for sale so it is important that they can’t just download them by pasting the link into a browser…

I can’t seem to get it to work. The IP is the IP of my Dreamhost PS that has the sites that want to access the files. I tried domain names but they didn’t work either. I also tried SetEnvIf variables without much luck. Help would be appreciated

[code]### Allow only listed Referers ###

order deny, allow
deny from all
allow from 69.163.255.206

Prevent Hotlinking - add domains as required

#RewriteEngine on
#RewriteCond %{HTTP_REFERER} !^$
#RewriteCond %{HTTP_REFERER} !^https?://(www.)?resources.avocahousedesign.co.nz($|/) [NC]
#RewriteCond %{HTTP_REFERER} !^https?://(www.)?avocahousedesign.co.nz($|/) [NC]
#RewriteCond %{HTTP_REFERER} !^https?://(demo.)?avocahousedesign.co.nz($|/) [NC]
#RewriteCond %{HTTP_REFERER} !^https?://(www.)?flutefocus.com($|/) [NC]
#RewriteRule .(gif|jpg|jpeg|png|mp3|mpg|avi|mov|mp4|flv)$ - [F,NC][/code]


#2

“Allow from” restricts access based on the IP address of the web browser, not based on the site that you clicked a link from. So all that’s doing is preventing anyone from viewing these files at all unless they’re using a web browser running on your PS!

You can try removing the first RewriteCond (for !^$) to require links to be referred from one of your sites; however, this isn’t really much more secure (and it’ll prevent access by some users). If you’re selling these files, you may want to investigate our Files Forever service (http://files.dreamhost.com/) instead, which will handle secure downloads for you as well as billing.


#3

Thanks for the response - that clears up why that approach wasn’t working. :slight_smile:

It’s video that I want to stream and link behind a paywall. I was investigating putting that video on another domain to help with page load speed so was looking for a way to secure it. I can do it (secured) from s3 hosting and may yet do that but was looking to avoid extra hosting costs.

Any suggestions appreciated.