[英]Prevent direct file access
I have several audio files that I don't want to allow anyone else to gain access to them. 我有几个音频文件,我不想让其他人访问它们。 Each file is in a separate folder inside a main folder, that I'll call "download" for now. 每个文件都在主文件夹内的一个单独的文件夹中,我现在称之为“下载”。 So "download" has several other directories, and inside each directory are audio files. 所以“下载”有几个其他目录,每个目录里面都有音频文件。 Those audio files are played with in a web app on the system. 这些音频文件在系统上的Web应用程序中播放。
The problem is that right now anyone can type in the full address of the file localhost/download/dir/sound.wav
and play the audio file. 问题是,现在任何人都可以输入文件localhost/download/dir/sound.wav
的完整地址并播放音频文件。 This is what I want to prevent from happening, I want those files to only stream when they are access or streamed from our application. 这是我想要防止发生的事情,我希望这些文件只在访问或从我们的应用程序流式传输时才流式传输。
I tried the following on the .htaccess file 我在.htaccess文件上尝试了以下操作
deny from all
This just returned an 403 forbidden
page, but i was unable to stream the file from within the application 这刚刚返回403 forbidden
页面,但我无法从应用程序中流式传输文件
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)localhost.com/.*$ [NC]
RewriteRule \.(mp3|wav)$ - [F]
This just disabled the stream all together did not return a 403 or anything it just did not stream from neither the application or direct access 这只是禁用了流一起没有返回403或任何它只是没有从应用程序或直接访问流
Finally I'm using AJAX to call the script that holds the files to be streamed; 最后我使用AJAX来调用保存要流式传输的文件的脚本; are there any options I can use? 我可以使用任何选项吗?
It is impossible to prevent the user from accessing those files 不可能阻止用户访问这些文件
In order to hear them they have to be downloaded to the user's computer and that means that they have to be accessible! 为了听到它们,必须将它们下载到用户的计算机上,这意味着它们必须是可访问的!
The best you can do is encrypt the files and decrypt them in the player. 您可以做的最好的事情是加密文件并在播放器中解密它们。 But even then the player could be reverse-engineered and someone could discover the encryption key and algorithm. 但即使这样,玩家也可以进行逆向工程,有人可以发现加密密钥和算法。 In the end you gonna find out that you just wasted a whole lot of processing time and in fact slowed down your application! 最后你会发现你浪费了大量的处理时间,实际上减慢了你的应用程序!
There is just one problem: how is server supposed to detect who has requested your media - application or some other system, just using similar protocol? 只有一个问题:服务器如何检测谁曾请求您的媒体 - 应用程序或其他系统,只是使用类似的协议?
But if you just want to prevent simplest http request to you media, you could involve some token exchange system, eg your application sends request for media in certain format, server sends token for accessing certain file, and then your application may access special (say php) script supplying it with token, script returns your sound stream. 但是如果你只是想阻止对你的媒体提出最简单的http请求,你可能会涉及一些令牌交换系统,例如你的应用程序以特定格式发送媒体请求,服务器发送令牌以访问某些文件,然后你的应用程序可能访问特殊(比如说php)脚本为它提供令牌,脚本返回你的声音流。 This way, media can be forbidden to be accessed from outside world and only will be accessed by you own server-side php script. 通过这种方式,可以禁止从外部访问媒体,并且只能由您自己的服务器端php脚本访问。
Then in order to gain access to media file user would need to know your existing token or your exchange protocol which eliminates random users accessing your media at will. 然后,为了获得对媒体文件的访问权限,用户需要知道您现有的令牌或您的交换协议,这将消除随意用户随意访问您的媒体。 However, as you have been told before there is probably no way to protect against 'educated users'. 但是,正如您之前所说,可能无法防范“受过教育的用户”。
One possibility would be to: 一种可能性是:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.