[vox-tech] Apache question: preventing direct access to files

Richard S. Crawford rscrawford at mossroot.com
Thu Mar 10 15:58:48 PST 2005


And behold, Micah Cowan flailed at a keyboard and did expound:

> Since you seem to be using ColdFusion (evidence has been snipped), you
> could probably write a short wrapper that will serve up the pdf file if
> the person "deserves" it; and remove the PDF files to outside of the web
> docs repository.

I tried that.  Didn't work, because in the setup, CF pages are delivered
by the JRun server, and not by the Apache server, so I can't use an Apache
redirect to get the wrapper to work.  And if I use an Apache rewrite to
make the page *not* delivered by JRun (I can do this by removing the cfmx
from the URL), then the Cold Fusion page does not work. Oy.

Yes, it is exactly the same problem as the hotlinking to image issue.  I
was thinking about it in the wrong way.  Silly me.

Here's what I finally put into httpd.conf:

RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER} !^http://152.79.198.7/.*\cfm
RewriteRule .*\.pdf$ - [F]

I also added:

RewriteRule ^/cfmx/(.*\.pdf)$ /$1 [R,L]

though it's probably not necessary.


> BTW, don't ColdFusion suck? :-)

Yeah.  Oh, yeah.  More than you can imagine.  Fortunately, we're going to
start transitioning over to a PHP solution starting next month (the
transition will probably take over a year, but I'm really excited about
it).


-- 
Sláinte,
Richard S. Crawford (AIM: Buffalo2K)
http://www.mossroot.com   http://www.stonegoose.com/catseyeview
"We live as though the world were how it should be,
to show it what it can be."
--"Angel", Season 4 ep. 1


More information about the vox-tech mailing list