On 1/18/08, Myles Wakeham <myles@xxxxxxxxxxx> wrote:
> I have a web application running on Linux in Apache 2, php5. The
> application manages a media database that is accessed by subscription. The
> content is served off separate Apache servers – some are located in
> different geographic regions. All users access the content by common URL,
> such as http://example.com/123/file.avi
>
> I use .htaccess with mod_rewrite to modify the incoming URL to a PHP script
> such as
> http://example.com/getfile.php?user=123&file=file.avi
>
> The PHP script is called, logs the request, checks the
> user's subscription rights, and if ok redirects them to the actual file to
> obtain by way of a Header() command (ie. Modifies the HTTP header to do a
> Location: …. To where the file actually resides).
>
> Although this works perfectly, the problem is that the user's browser will
> change to reflect the endpoint URL where the file actually resides. Users
> then simply have been cutting & pasting this URL into their own websites and
> providing unaudited access to the raw file directly and bypassing our
> script.
>
> I need to find a way to do this without displaying the endpoint URL to the
> user in anyway. But it has to be able to be done through a PHP script.
> Clearly Header() in PHP isn't cutting it. I also have to use Apache at each
> endpoint web server location.
>
> I'm wondering if anyone has a suggestion on how best to do this? Can I
> install something in .htaccess on the endpoint server end to reject incoming
> requests that are not via authenticated redirects? Can I use the
> HTTP_REFERRER in some way to ensure that what has come to this server came
> by way of a legitimate referral?
>
> All ideas are greatly appreciated.
>
> Thanks
> Myles
You have two issues.
1. How to redirect so browsers do not learn the address of the media servers.
2. How to block direct access to the media servers.
The first issue is the URLs are redirecting to the media server. You
do not want redirection; you want proxy. The media should come from
the main server during the request that activated the PHP script. The
second issue can be solved with firewalls.
This ML would be good for explaining how Apache httpd security could
work with your authorization system. By your specification, this is a
PHP issue and does not belong on the httpd ML as you prohibited
non-PHP solutions. This code should send the file as the response to
the current request:
HttpResponse::setFile("http://media.example.com/file.mpg";);
solprovider
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|