Results 1 to 20 of 20
  1. #1
    Join Date
    May 2009
    Posts
    119

    Best Way to Protect Files?

    How do I protect files on the server?

    For example,

    http://webserver.com/secretfolder/fileabc.zip
    - Unaccessible, will return 404 (can do able with .htaccess)

    however, people can access it like so, as a temporary (with time expiration key)
    http://webserver.com/ksdkjl345656wkl...dkdkegghghhkls
    It will just flush the ./secretfolder/fileabc.zip to browser, without changing the browser URL.

    I dun wanna know fopen, readmethod that php have those method required php access to the files and read it line by line and flush out. I want it POINT to that files, allow resumeable download etc.

    Any idea?, Server is Linux using Apache, PHP etc the usual.

  2. #2
    Join Date
    Jan 2008
    Location
    England
    Posts
    538
    Apache:
    http://code.google.com/p/mod-auth-token/

    Also nginx (will perform better than Apache at serving static files):
    http://wiki.nginx.org/HttpSecureLinkModule

  3. #3
    Join Date
    May 2009
    Posts
    119
    Apache still have to be in that secret folder, which make it highly inconviniences

    /downloads/dee0ed6174a894113d5e8f6c98f0e92b/43eaf9c5/file_to_protect.txt
    Files must be inside
    /downloads/*


    i read nginx, it stills show the path
    http://example.com/p/files/top_secret.pdf
    even though doesn't let people download, that way people already know where it located on the server and use bruteforce o.O
    ----------------------------------------------------------------------


    Here is something that i want, it's works in PHP without installing anything, however it create unncessary usage of extra space.
    The idea is masking the folder entirely (no display what soever unless someone hacked the server)
    $secretfiles = "specialfolder/files.pdf";
    $downloadpath = "download/".$randomstring."/files.pdf";

    copy( $secretfiles, $downloadpath );
    return $downloadpath;

    // clear caches
    if ( $d = opendir ("download") ) {
    while ( $entry = readdir($d) ) {
    // one hour limit
    if ( time() - filemtime($entry) < 3600 ) {
    deleted $entry;
    }
    }
    }

  4. #4
    Join Date
    Jan 2008
    Location
    England
    Posts
    538
    Quote Originally Posted by Xantar View Post
    i read nginx, it stills show the path
    http://example.com/p/files/top_secret.pdf
    even though doesn't let people download, that way people already know where it located on the server and use bruteforce o.O
    You can use a very strong alphanumeric+special secret word which will prevent bruteforcing, and I highly doubt that would ever become a serious problem. If it does, you can probably utilize another module to prevent it, or something on the OS level.

  5. #5
    Join Date
    Aug 2011
    Location
    Denmark
    Posts
    108
    Quote Originally Posted by Xantar View Post
    How do I protect files on the server?

    For example,

    http://webserver.com/secretfolder/fileabc.zip
    - Unaccessible, will return 404 (can do able with .htaccess)

    however, people can access it like so, as a temporary (with time expiration key)
    http://webserver.com/ksdkjl345656wkl...dkdkegghghhkls
    It will just flush the ./secretfolder/fileabc.zip to browser, without changing the browser URL.

    I dun wanna know fopen, readmethod that php have those method required php access to the files and read it line by line and flush out. I want it POINT to that files, allow resumeable download etc.

    Any idea?, Server is Linux using Apache, PHP etc the usual.

    The best way is to add the files to a folder which is not accessible directly from the net.

    E.g. in cPanel, this folder could be:
    /home/<username>/downloads

    This folder is not accessible directly from the net and would require a script to get the files for the user.


    This just a quick download script I made based on the script I currently use on my own website.
    You would need to edit the code just a bit, like adding the mysql connection information and the 2 other places I noted in the code.

    PHP Code:
    <?php
    /****************************
        Database Information
    ****************************/
    $host 'localhost';     // datebase host
    $port '3306';     // MySQL port. leave it at 3306 if you are not sure.
    $user '';         // database username
    $pass '';         // database password
    $db  'database';    // name of the database
    $char 'utf8';     //the character set you wish to use. Leave it at utf8 if you are not sure.
    /****************************
      Database Connection Code
    ****************************/
    $conn mysql_connect($host.':'.$port$user$pass);
    if(!
    $conn){
        die(
    'Failed to connect to the database. Error: '.mysql_error());
    }else{
        
    mysql_select_db($db);
        
    mysql_set_charset($char);
    }

    //Get referer
    if(isset($_SERVER['HTTP_REFERER'])){
        
    $referer $_SERVER['HTTP_REFERER'];
        
    //Validate user by checking if the user has correct session set and referring page
        
    if(strpos($referer'your-website.com')){ //<------- EDIT "your-website.com" HERE
            
    $id mysql_real_escape_string(intval($_GET['id']));
            
    $get_project mysql_query("SELECT 
                                            file_name 
                                        FROM 
                                            downloads 
                                        WHERE 
                                            id='"
    .(int)$id."'") or die();
                                            
            if(
    mysql_num_rows($get_project) > 0){
                
    //get the project information
                
    $download mysql_fetch_assoc($get_project);
                
    $file '/home/<username>/downloads/'.$download['file_name']; //<------- EDIT "<username>" HERE
                
                
    header("Content-type: application/octet-stream");
                
    header("Content-Transfer-Encoding: Binary");
                
    header("Content-length: ".filesize($file));
                
    header("Content-disposition: attachment; filename=\"".basename($file)."\"");
                
    readfile("$file");
            }
        }
        }else{
            echo 
    'naughty boy! Access Denied!';
        }
    }
    //Close the MySQL database connections
    mysql_close($conn);
    ?>
    Here is the SQL dump for the script:
    Code:
    CREATE TABLE IF NOT EXISTS `downloads` (
      `id` int(10) NOT NULL AUTO_INCREMENT,
      `file_name` text NOT NULL,
      PRIMARY KEY (`id`)
    ) ENGINE=InnoDB  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
    Please note, I did not test this code, but it should work.
    Else let me know if it throws any errors
    Last edited by MrEliasen; 02-29-2012 at 08:00 PM.
    "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  6. #6
    Join Date
    Aug 2011
    Location
    Denmark
    Posts
    108
    I think i'll add that download script as a file on my website... just so more people can benefit.

    Anyway hope it helps!
    "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  7. #7
    Join Date
    May 2009
    Posts
    119
    While that is useful, it's not what i wanted.

    And i already said no readfile, fopen when fetch caches files. Just need to point to the file location without actually redirecting (301/302) the user to the file HTTP
    Readfile and fopen required php to scan through the files, which mean the server us "reading" the files thus caused unncessary CPU comsumptions.




    The files must be accessible via cURL/fopen on other websites

    It will be a repository of download files, and it will only runs Apache/PHP, no mySQL etc or anything else, It simply a file repository for my main webserver to access via php pages.

    And when moving servers, it just simply clones the entire file loction and paths, not the mySQL database.

    This way i can upload via FTP and run a single php script to create a proper file index.txt on the server somewhere - no mySQL required.

  8. #8
    Join Date
    Aug 2011
    Location
    Denmark
    Posts
    108
    Ahh right, I misunderstood your initial post then .
    "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  9. #9
    Join Date
    Jan 2008
    Location
    England
    Posts
    538
    Quote Originally Posted by MrEliasen View Post
    I think i'll add that download script as a file on my website... just so more people can benefit.

    Anyway hope it helps!
    The OP didn't want a php solution, but a couple of suggestions on your script -

    You shouldn't rely on the referrer header, as some browsers don't send it or it can be turned off. If the referrer is set AND it doesn't contain the domain name, you should deny the download, in all other cases it should be allowed.

    You should use type comparison with strpos - http://php.net/strpos

    It would be more user friendly to run $_GET['id'] through ctype_digit and error on invalid id, instead of nothing printing, this would also mean you can get rid of mysql_real_escape_string, intval and int cast.

    Also take a look at http://php.net/readfile, it has all the headers that are needed to be fully cross browser, and also the flush and ob_flush functions.

  10. #10
    Join Date
    Aug 2011
    Location
    Denmark
    Posts
    108
    Quote Originally Posted by sam250 View Post
    The OP didn't want a php solution, but a couple of suggestions on your script -

    You shouldn't rely on the referrer header, as some browsers don't send it or it can be turned off. If the referrer is set AND it doesn't contain the domain name, you should deny the download, in all other cases it should be allowed.

    You should use type comparison with strpos - http://php.net/strpos

    It would be more user friendly to run $_GET['id'] through ctype_digit and error on invalid id, instead of nothing printing, this would also mean you can get rid of mysql_real_escape_string, intval and int cast.

    Also take a look at http://php.net/readfile, it has all the headers that are needed to be fully cross browser, and also the flush and ob_flush functions.
    Nice changes! Just made this off the top of my head, thought I still have much to learn about PHP - just dropping my 2 cents.
    "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  11. #11
    Join Date
    May 2009
    Posts
    119
    Quote Originally Posted by sam250 View Post
    The OP didn't want a php solution, but a couple of suggestions on your script -

    You shouldn't rely on the referrer header, as some browsers don't send it or it can be turned off. If the referrer is set AND it doesn't contain the domain name, you should deny the download, in all other cases it should be allowed.

    You should use type comparison with strpos - http://php.net/strpos

    It would be more user friendly to run $_GET['id'] through ctype_digit and error on invalid id, instead of nothing printing, this would also mean you can get rid of mysql_real_escape_string, intval and int cast.

    Also take a look at http://php.net/readfile, it has all the headers that are needed to be fully cross browser, and also the flush and ob_flush functions.
    Yeah i just noticed his scripts have few major flaws, forexample, flush and ob_flush is missing, so someserver held the file in the buffer which will exceed if the filesize is bigger than allocated RAM

    Futhermore, this mean that only one files can be download by one person at a time, anymore will cause ram to exceed and server will crashed.

    readfile fopen echo fgets/freads should only deal with small files, i'm talking about huges files like 100 MB +, and alot of em.

  12. #12
    Join Date
    Jan 2008
    Location
    England
    Posts
    538
    Quote Originally Posted by MrEliasen View Post
    Nice changes! Just made this off the top of my head, thought I still have much to learn about PHP - just dropping my 2 cents.
    Not wishing to derail the thread but, very nice for something coded very quickly. I found php.net manual the best resource when learning about the different use of functions, situations they can be used in, etc. If you keep coding scripts and snippets concerning areas you're interested in then PHP comes quite easy and fast. If you need any help with any PHP drop me a msg.

    Just trying to help out

  13. #13
    Join Date
    Aug 2011
    Location
    Denmark
    Posts
    108
    Quote Originally Posted by Xantar View Post
    Yeah i just noticed his scripts have few major flaws, forexample, flush and ob_flush is missing, so someserver held the file in the buffer which will exceed if the filesize is bigger than allocated RAM

    Futhermore, this mean that only one files can be download by one person at a time, anymore will cause ram to exceed and server will crashed.

    readfile fopen echo fgets/freads should only deal with small files, i'm talking about huges files like 100 MB +, and alot of em.
    I didn't know about this, I appreciated the feedback though!
    "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  14. #14
    Join Date
    Aug 2011
    Location
    Denmark
    Posts
    108
    Quote Originally Posted by sam250 View Post
    Not wishing to derail the thread but, very nice for something coded very quickly. I found php.net manual the best resource when learning about the different use of functions, situations they can be used in, etc. If you keep coding scripts and snippets concerning areas you're interested in then PHP comes quite easy and fast. If you need any help with any PHP drop me a msg.

    Just trying to help out
    Cheers, appreciated !
    Also, I have reported my post as with the new info in mind, just to be sure no one gets into trouble with their hosts hehe.
    "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  15. #15
    Join Date
    May 2009
    Posts
    119
    Anywayz derailed it a bit.. But as previously poitned out, not looking for a PHP solutions, i think apache should able to do it, since i see alot of one click file sharing does this, the files are not necessary located at the download http link.

  16. #16
    Join Date
    Jan 2008
    Location
    England
    Posts
    538
    Quote Originally Posted by Xantar View Post
    Anywayz derailed it a bit.. But as previously poitned out, not looking for a PHP solutions, i think apache should able to do it, since i see alot of one click file sharing does this, the files are not necessary located at the download http link.
    The vast majority of file sharing sites use one of the modules I mentioned earlier, or a custom module or server side language.

    If the only reason why you don't want to use the modules I listed earlier is brute forcing, then you can use a 50 digit alphanumeric key that would never get bruteforced. You can also edit the code and add an extra hash (what our company did) which means that people will have no idea how the hash is made up, or even what algorithm it is, so then cant brute force it.

  17. #17
    Join Date
    May 2009
    Posts
    119
    can it access different "folder" with that script?

    SERVER/sercretfile/

    Accessible via
    SERVER/download/<identificationkey>/filename.extension

    ?

    Because i read your previous script, it only access if
    SERVER/sercretfile/ is SERVER/download/sercretfile/

  18. #18
    Join Date
    Jan 2008
    Location
    England
    Posts
    538
    I only have experience using this nginx module (and I customized it a bit):
    http://wiki.nginx.org/HttpSecureDownload

    Which was discontinued when nginx came out with their official module which I listed in my previous post, and appears to do the same thing as the above 3rd party module.

    We have it configured like so:
    Code:
     secure_download                 on;
    secure_download_secret          SECRETKEY$remote_addr;
    secure_download_path_mode       file;
    secure_download_fail_location   /fail.html;
    
    root /home/files;
    So, when we generate the link in php it looks like this:

    site.tld/folder/filename/authhash/hextime

    We then redirect the user to that link. When the user arrives on the fileserver with the above link, if the url and auth hash checks out, they are served:

    /home/files/folder/filename

    When someone goes to site.tld/folder/filename they are shown /fail.html. So the only way to access the file would be to, as you said, bruteforce the authhash. We use a very long secretkey plus a customized hash method so its extremely unlikely that it'll ever be bruteforced.

    We offer many large files too, and found this to be the best option, and found nginx by far the best httpd to use in terms of performance.

  19. #19
    Join Date
    May 2009
    Posts
    119
    Okay i have a check when i have some free time

    Would be a lot better if there any other options in apache already does that with say .htaccess

  20. #20
    Join Date
    Mar 2012
    Location
    Saudi Arabia
    Posts
    11
    If you have CPanel, you can add any not public files on the root of your account where no public access beside public_html folder

  21. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. suPHP - Protect User's Files
    By awells527 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 11-10-2008, 02:27 AM
  2. how protect files
    By rob2 in forum Web Hosting
    Replies: 3
    Last Post: 09-30-2007, 10:43 AM
  3. How to protect flash files?
    By kioshi in forum Hosting Security and Technology
    Replies: 5
    Last Post: 02-23-2006, 12:32 AM
  4. Need to protect files from leetchers
    By vpsfusion in forum Programming Discussion
    Replies: 11
    Last Post: 01-13-2006, 02:42 PM
  5. How do I protect files?
    By WebBloom in forum Hosting Security and Technology
    Replies: 3
    Last Post: 11-01-2001, 11:39 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •