Restrict access to certain files but not when linked from my own website

Restrict access to certain files but not when linked from my own website - .htaccess files are extremely useful in many cases for users who either do not have root permissions or for users who simply aren't comfortable in making changes in their web server's configuration file. Trying to debug .htaccess not working isn't always the easiest thing to do, however, hopefully by checking the discuss below mentioned about htaccess, referrer, , , .htaccess common problems as well as the troubleshooting tips, you'll have a better grasp on what you may have to modify to get your .htaccess file running smoothly.Problem :

I got a problem regarding setting my server settings so that my files can't be accessed from people linking directly to the files, but can when they click a link on my website to open the file.

I tried this:

RewriteCond %HTTP_REFERER !^http://19.24.3.13/~child/ [NC] 
RewriteCond %HTTP_REFERER !^http://19.24.3.13/~child/.*$ [NC] 
RewriteRule .(pdf|doc|docx)$ /~child/ [L]

Problem is, when I want to open these files via my website, I get an error, because the link to the file is a direct link, something I wanted to prevent.

So to counter this, I need to let through the referrals from my own website. I tried this:

SetEnvIf Referer "^http://19.24.3.13/~child/.*$" legit_referal
SetEnvIf Referer "^$" legit_referal

<LocationMatch ".(pdf|doc|doxc)$" >
   Order Deny,Allow
   Deny from all
   Allow from env=legit_referal
</LocationMatch>

But with no success. I get a server 500 error if I try to access it.

As you can see I use ip-adresses, because I have no domain name, only the ip.

Can someone point me in the right direction?

Solution :

Problem is, when I want to open these files via my website, I get an error, because the link to the file is a direct link

An ordinary link on your website is not a direct link. If the browser is sending any referer at all then when a user clicks a link on your website then the referer is "your website". If you are not getting a referer header in this instance then "something else" is going on.

However, you probably do need to allow an empty referer for when user's browsers don't send the HTTP referer header (for whatever reason). For example, when users type the URL directly in their browser (this is a direct link), or simply hit the reload button - presumably you do want to allow this? If you don't allow this then it is possible that some legitimate users might have problems accessing your files.

Your first example looks pretty much OK, except that http://19.24.3.13/~child/ looks a bit weird (this looks like the temporary URL that some shared hosts supply before the domain resolves?). However, the following should work:

RewriteCond %HTTP_REFERER !^$
RewriteCond %HTTP_REFERER !^http://19.24.3.13
RewriteRule .(pdf|docx?)$ - [F]

The above will return a 403 Forbidden for PDF, DOC and DOCX URLs when the HTTP referer is not empty AND not the current host. Note that this allows direct requests (when the HTTP Referer is empty). If you wish to prevent direct requests then omit the first RewriteCond directive.

Your second code block results in a 500 Internal Server Error because LocationMatch is not permitted in .htaccess files. You need the Files directive.

UPDATE: I'd previously included %HTTP_HOST in the condPattern (2nd argument to the RewriteCond directive) - that was a stupid mistake! Server variables are not evaluated in the CondPattern (a regex) so would have matched the literal string "%HTTP_HOST"! Which would never happen, so the condition (a negative match) would always have succeeded and the request would always be blocked!

Additionally, if you would like to do some further testing, give the htaccess tester tool a try. It allows you to specify a certain URL as well as the rules you would like to include and then shows which rules were tested, which ones met the criteria, and which ones were executed.