skip to Main Content

I have a Windows Apache Webserver that has a mapped drive to my Linux imaging server. The Linux imaging has a directory that stores pdf files in a certain directory that we access via a PHP script. In my httpd.conf file we have an alias setup that allow access to this directory using the Require All granted. Well the problem is we recently discovered that if a person knows the name of the document, they can just enter our domain.com/<directory>/nameofdocument.pdf in a web browser and get access to the pdf documents on our imaging server. Granted they would have to know the exact name of the file including what directory it’s stored in to bring up the pdf file. This is a security flaw that we would like to not allow. I don’t want a person being able to enter our server address in the address bar and pull up a document that way. Our php script accesses the directory and the user is able to click on links to pull up the document.

In other words, I only want to be able to allow a person to view the pdf if they are logged into our agency system (which is a php written system) and they access via our imaging php script. Is this possible?

This is what my <directory> directive looks like.

Alias /ourdocs/ "Z:/documents/"
<Directory "Z:/documents">
    Options none
    AllowOverride all
    Require all granted
</Directory>

2

Answers


  1. For blocking "externals" to access files or directoryes, you can use a modification of the directive you shown

    <Directory "Z:/documents">
      Require local
      Require ip 172.16.0.10
      Require ip 192.168.1.0/24
      Require all denied
    </Directory>
    

    In this example, only "localhost" (the webserver itself), the machine with ip 172.16.0.10 and any machine in the subnet 192.168.1.0/24 can access directly this directory.

    Login or Signup to reply.
  2. Put the documents folder outside the website, with no directory configuration in Apache for it. Then have a getDocument.php script, which, when passed suitable document ID (e.g. maybe you have the stored docs listed in your database?), first checks that the user has a valid login session, and then, if so, outputs the file to the client-side using readFile() (and setting suitable headers of course so it comes up as a download).

    That way the only access to the files is via a script which validates your status first. Direct links would not work since there’s no direct HTTP route to the file itself.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search