block files from type_in

[michelewt]

Hello everybody, I am Mike, from Italy, this is the first time i post here.

I have a question about apache security.

What i am looking for is something to block type_in resources. If i have a download area, or user's personal images, pdf, tar.gz, pdf, css, js etc, i don't want surfers to be able to download resources by typing the specific resource path. In this way there is no referer to catch. If i use a cms to upload files maybe it respects a specific scheme an hacker can understand and try to download other resources.

If i have regular access to the resource

http://www.mysite.com/download/myfile_001.zip

and the resource

http://www.mysite.com/download/myfile_002.zip

is not hard to understand i can download the 003.zip 004.zip and so on.

Is there something to block this?
I have tried something, but the resources are not avaible also into the php scripts. so i cannot show images, i cannot give files to download, and so on.

What could be a technique to block resources to surfers but not to sites?

i know my english is really far to be perfect, i hope you can understand me.

Thanks

 

[elgrandeperro]

It would involve enabling mod_rewrite and then using .htaccess or a apache configuration rewrite rules.

Here is an tutorial:

http://www.alistapart.com/articles/hotlinking

 

[michelewt]

thanks for the answer but no, that's not the point.

When a surfer type the url directly in address bar, there is no external referrer header sent.

I can block hotlinks yet but i'd want to block resources in the private download area.

thanks anyway

 

[lgarner]

If you allow simple links like that, I don't think there's anything than you can do within Apache. You should have a download program, and ideally store the files out of the web root.

Then your url would be something like "

http://mysite.com/downloader?id=filename.zip".