I have a Windows Apache Webserver that has a mapped drive to my Linux imaging server. The Linux imaging has a directory that stores pdf files in a certain directory that we access via a PHP script. In my httpd.conf file we have an alias setup that allow access to this directory using the Require All granted
. Well the problem is we recently discovered that if a person knows the name of the document, they can just enter our domain.com/<directory>/nameofdocument.pdf
in a web browser and get access to the pdf documents on our imaging server. Granted they would have to know the exact name of the file including what directory it’s stored in to bring up the pdf file. This is a security flaw that we would like to not allow. I don’t want a person being able to enter our server address in the address bar and pull up a document that way. Our php script accesses the directory and the user is able to click on links to pull up the document.
In other words, I only want to be able to allow a person to view the pdf if they are logged into our agency system (which is a php written system) and they access via our imaging php script. Is this possible?
This is what my <directory>
directive looks like.
Alias /ourdocs/ "Z:/documents/"
<Directory "Z:/documents">
Options none
AllowOverride all
Require all granted
</Directory>
2
Answers
For blocking "externals" to access files or directoryes, you can use a modification of the directive you shown
In this example, only "localhost" (the webserver itself), the machine with ip 172.16.0.10 and any machine in the subnet 192.168.1.0/24 can access directly this directory.
Put the documents folder outside the website, with no directory configuration in Apache for it. Then have a
getDocument.php
script, which, when passed suitable document ID (e.g. maybe you have the stored docs listed in your database?), first checks that the user has a valid login session, and then, if so, outputs the file to the client-side usingreadFile()
(and setting suitable headers of course so it comes up as a download).That way the only access to the files is via a script which validates your status first. Direct links would not work since there’s no direct HTTP route to the file itself.