防止直接文件访问

Question

I have several audio files that I don't want to allow anyone else to gain access to them. Each file is in a separate folder inside a main folder, that I'll call "download" for now. So "download" has several other directories, and inside each directory are audio files. Those audio files are played with in a web app on the system.

The problem is that right now anyone can type in the full address of the file localhost/download/dir/sound.wav and play the audio file. This is what I want to prevent from happening, I want those files to only stream when they are access or streamed from our application.

I tried the following on the .htaccess file

deny from all

This just returned an 403 forbidden page, but i was unable to stream the file from within the application

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)localhost.com/.*$ [NC]
RewriteRule \.(mp3|wav)$ - [F]

This just disabled the stream all together did not return a 403 or anything it just did not stream from neither the application or direct access

Finally I'm using AJAX to call the script that holds the files to be streamed; are there any options I can use?

Answer 1

It is impossible to prevent the user from accessing those files

In order to hear them they have to be downloaded to the user's computer and that means that they have to be accessible!

The best you can do is encrypt the files and decrypt them in the player. But even then the player could be reverse-engineered and someone could discover the encryption key and algorithm. In the end you gonna find out that you just wasted a whole lot of processing time and in fact slowed down your application!

Answer 2

There is just one problem: how is server supposed to detect who has requested your media - application or some other system, just using similar protocol?

But if you just want to prevent simplest http request to you media, you could involve some token exchange system, eg your application sends request for media in certain format, server sends token for accessing certain file, and then your application may access special (say php) script supplying it with token, script returns your sound stream. This way, media can be forbidden to be accessed from outside world and only will be accessed by you own server-side php script.

Then in order to gain access to media file user would need to know your existing token or your exchange protocol which eliminates random users accessing your media at will. However, as you have been told before there is probably no way to protect against 'educated users'.

Answer 3

One possibility would be to:

1. Add an apache rewrite directive on that download folder to route all requests to a php script instead that takes the file requested as a parameter.
2. Create this script (say sound.php) in your application which takes that file path as a get parameter. This script can output the correct http headers to indicate that the type of data is wav or whatever you want. Then check some cookies or a token or similar, and output the content of the restricted file directly (see readfile ) only if the user is valid.