拒绝访问的文件夹中的文件 - 允许存取权限从一个文件 [英] Deny access to files in folder - allow acces from one file
问题描述
我有一个文件夹,/歌曲。该文件夹中的所有文件都应该是不可访问。这应该是很容易做到。
I have a folder, /songs. All files inside this folder should be unaccessible. That should be easy to do.
但我想一个文件,player.php来访问它们。我怎样才能做到这一点?
But I want ONE file, player.php to have access to them. How can I do this?
我想的.htaccess是要走的路。
I suppose .htaccess is the way to go.
推荐答案
有两种方式去这样做,既可以使文件从互联网上完全无法访问,或者您可以检查引用者(原文如此)。
There's two ways to go about doing this, you can either make the files completely inaccessible from the internet or you can check the referer (sic).
的HTTP引用是有时附带一个请求告诉其中请求是从称为web服务器的请求头字段。例如,一个页面 index.html的可能有一个形象< IMG SRC =/ foo.png> 。当浏览器加载 index.html的,看到的图像,它也将加载图像。对图像所做的请求将包括 http://example.com/index.html 的引用者之前该页面是被称为浏览器加载图像。与引用者的问题是,(最喜欢的HTTP请求头)可以很容易地伪造的。这意味着,人谁愿意下载所有的歌曲可以只假冒引用者说,它来自 player.php 。这可能是最容易实现的:
The HTTP Referer is a request header field that is sometimes included with a request telling the web server where the request was referred from. For example, a page index.html could have an image <img src="/foo.png">. When the browser loads index.html and sees the image, it'll also load the image. The request made for the image will include http://example.com/index.html as the referer before that page is what referred the browser to load the image. The problem with the referer is that (like most HTTP request headers) it can be easily forged. This means that someone who wants to download all of your songs can just fake the referer to say it came from player.php. This is probably the easiest to implement:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !/player\.php
RewriteCond $1 !player\.php
RewriteRule ^songs/(.*)$ - [L,F]
这些规则会去在你的文档根htaccess文件。或者,如果你想要把它放在歌曲文件夹,删除的规则的普通恩$ P歌曲/ 部分$ pssion。
Those rules would go in the htaccess file in your document root. Or if you want to put it in the songs folder, remove the songs/ part of the rule's regular expression.
第一个解决方案是最好的,因为它使得这些文件无法访问除了通过设计的脚本。因此,像(我们称之为 load.php ):
The first solution is the best because it makes it so the files are inaccessible except through a script of your design. So something like (we'll call it load.php):
<?php
// make whatever checks here to ensure it's ok to send the file to the browser
$name = $_GET['name'];
$fp = fopen($name, 'rb');
// Change the header to whatever your file's mime type is
header("Content-Type: audio/mp3");
header("Content-Length: " . filesize($name));
fpassthru($fp);
exit;
?>
然后你就可以去访问这些文件: http://example.com/load.php?name=song.mp3 。至于什么检查,你需要做的,你可以通过查看 $检查引荐_ SERVER ['HTTP_REFERER'] 。您可以设置从 player.php A UUID或会话cookie,然后将其签入 load.php 。
Then you can access those files by going to: http://example.com/load.php?name=song.mp3. As for what checks you need to do, you can check the referer by looking at $_SERVER['HTTP_REFERER']. You can set a UUID or session cookie from player.php and then check it in load.php.
然后你可以拒绝访问使用类似文件:
Then you can deny access to your files using something like:
RewriteEngine On
RewriteCond $1 !(player|load)\.php
RewriteRule ^songs/(.*)$ - [L,F]
要拒绝访问任何不player.php或load.php
to deny access to anything that isn't player.php or load.php
这篇关于拒绝访问的文件夹中的文件 - 允许存取权限从一个文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
