How to block direct access to files in a folder via .htaccess, but allow if there is ?key=secret?

L

Leonid2018-08-27 14:21:04

Apache HTTP Server

Leonid, 2018-08-27 14:21:04

It is necessary to prohibit direct URL access to files from the orders folder on the server, while allowing access by a URL that contains a specific GET variable key with the value: secret .
For example, we have the orders folder and the 1.* file in it - the extension can be anything, for example 1.jpg
It is necessary that the appeal through /orders/1.jpg - would give an access error or redirect to 404
And vice versa, the appeal of the form: /orders/1.jpg?key=secret would be successful!
Is it possible to implement this using settings in .htaccess ?
ps:and ideally, if it were still possible to somehow generate secret - so that everywhere there would be not just the same ?key=secret , but some kind of thread ?key=ХХХХХХХ , where XXXXXXXX is some kind of cache from the name of the file that is being accessed.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Ariurn, 2018-08-27
@Ariurn

Take from here .
As for different passwords for different files, this cannot be done through .htaccess. But when it comes to software processing, you can create a password by taking the hash of the file (and not its name, this is not the best idea). But I would still use salt if I were you.

V

Viktor Taran, 2018-08-27
@shambler81

RewriteCond %{QUERY_STRING} !(^|&)key\=secret($|&)
RewriteRule ^orders/1\..+$ http://test.ru/404.php [L,R=301]

If there is no GET parameter key=secret
Then send somewhere, for example 404.php

D

dodo512, 2018-08-28
@dodo512

Since Apache 2.4 MD5 and SHA1 can be used https://httpd.apache.org/docs/2.4/expr.html#functions

RewriteCond expr "! (%{QUERY_STRING} =~ /(?:^|&)key=([^&]+)/ && md5(%{REQUEST_URI}) == $1)"
RewriteRule ^orders/1\. - [F]

For /orders/1.jpgMD5 hash58fa4178ea5e540a0e02f726a807dc8f