Protect folder in apache [closed]

Navigation
0

Good afternoon

Can this be done? I have an apache server with an application developed in php (yii2), my "problem" is as follows, the app has validation by username and password, if you are logged in the system you can access a page where videos are embedded in a folder called "videos", my question is how I can protect this folder called videos so that nobody can enter it (well maybe only those who are logged in) and check the videos putting the route for example misitio.com/videos/video1. mp4

I already have an index in that folder and an .Itaccess IndexIgnore * .mp4 so that it does not show the file list, but even if someone who is not logged in knows the name of a file, I can visualize it, I want it to be only watch these videos through the page where they are embedded.

How can I avoid this?

    
asked by Kamilo Rodriguez 25.05.2017 в 22:02
source

2 answers

1

You have a couple of options:

Implement HTTP AUTH through .htaccess

This involves requesting a username and password in the HTTP headers so that they can access ALL the resources in that folder. This solution is impractical and insecure because you have to transport the access credentials in each request. The following lines are placed in an .htaccess file in the folder you want to protect: 

AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile "/var/www/passwords"

Then you add one or more users with the command: 

htpasswd -c /var/www/passwords usuario

When trying to enter the folder or a file inside it, your browser will ask for a username and password. To integrate this into your web app, all requests to these resources should carry the authentication headers.

Leave security and transport to PHP (Best solution)

It is about serving the files of any directory within your server through PHP, a script that receives the file name, reviews the permissions for a given session and serves the file under the business rules that you want.

For example, the URL http://servidor/descarga.php?archivo=video354.avi would download the file only when the user has started a session and we can add any explicit permission such as the uploader thereof.

I have an example HERE that is an answer to a similar question.

Take a look, if you have any doubts about it, I'll be happy to help you.

    
answered by 25.05.2017 / 22:54
source
2

Step 1

If you want to avoid listing the files / folders of the directory that you want to protect, in the file .htaccess of it you write this: 

Options -Indexes

This prevents you from listing the contents of the folder. If the file .htaccess does not exist in it, you create it. If you want to be able to list the content, you have to skip this step and move on to the next one.

Step 2

Then you write this in .htaccess and save the changes: 

AuthType Basic
AuthName "restricted area"
AuthUserFile /ruta-del-archivo-htpasswd/.htpasswd
require valid-user

Note : You must enter the actual path of your file .htpasswd

Step 3

You generate an encrypted key to place it in the file .htpasswd . You can use this site , or another of your choice. In the site you write a user name, example pepe and a somewhat familiar password, example datosalfa22 and you press the button Create .httpasswd file , then it will generate something similar to this: 

pcedano:$ade1$QcjBX6wX$KV1pQdmnpv3ZjDWytu282/

You must copy that string that generates you in your file .htpasswd and save.

Step 4

Everything ready! When you try to enter your folder, it will ask for a username and password, enter your family user, say ... pepe and your family password, say ... datosalfa22 and you can access your folder.

This way the folder is protected by password.

    
answered by 26.05.2017 в 00:29
do not close popover unless it is with the link Filter select so that the result does not show all records