使用htaccess拒绝通过浏览器访问目录文件
[英]Deny access to directory files via browser with htaccess
问题描述
i want to deny access (from all non-logged in users) to all the files in a directory from the browser. 
我想拒绝(从所有未登录的用户)访问浏览器中目录中的所有文件。
Only a logged in user can access his files in that folder. 只有登录的用户可以访问该文件夹中的文件。 The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files. 文件路径以登录的用户ID存储在数据库中,因此当用户登录时,他只能查看或下载他的文件。
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder. 所以我不希望其他人(没有登录)从浏览器访问文件夹和文件,其次,我希望用户只能查看文件夹中的文件。
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ? 我想,第二件事我可以用PHP中的一些条件检查,但对于第一个,谁能告诉我htaccess规则实现?
Thank you 谢谢
5 个解决方案
解决方案1
1 2010-11-01 07:20:48
对于.htaccess用户访问的部分,您可以在这里查看 .htaccess密码生成器
解决方案2
1 已采纳 2010-11-01 08:38:30
dont show them the actual folder path where their files are stored. 不要向他们展示存储文件的实际文件夹路径。
Use a php file to fetch the downloadable content. 使用php文件获取可下载内容。
eg :- download.php?file=mydocument.doc 例如: - download.php?file = mydocument.doc
Cons : 缺点:
- Might be slow 可能会很慢
- No Download Resume support (I guess) 没有下载简历支持(我猜)
解决方案3
0 2010-11-01 07:16:02
You can disable default directory browsing using .htaccess. 您可以使用.htaccess禁用默认目录浏览。
Open your .htacces file
打开您的.htacces文件 Look for Options Indexes
寻找选项索引 If Options Indexes exists modify it to Options -Indexes or else add Options -Indexes as a new line
如果存在选项索引,请将其修改为选项 - 索引,或者将选项 - 索引添加为新行 The directory browsing feature should be disable by now
现在应该禁用目录浏览功能
解决方案4
0 2010-11-01 07:40:43
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html 有一篇文章,全面描述了Apache Web服务器的访问控制功能: http : //httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way: 最简单的变体如下所示:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part: 顺便说一下,这部分:
Only a logged in user can access his files in that folder.
will require either creation of separate password files for each folder, or some additional scripting. 将需要为每个文件夹创建单独的密码文件,或者需要一些其他脚本。
There are some known issues with this approach: 这种方法存在一些已知问题:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS).
基本身份验证方案将密码以明文形式发送,如果您的站点可以通过HTTP(而非HTTPS)访问,则该方法不好。 There's also Digest authentication type, but there were some problems with browser support 还有Digest身份验证类型,但浏览器支持存在一些问题 Logout operation will require browser closing
注销操作将需要关闭浏览器
Generally, I'd recommend: 一般来说,我建议:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Apache内置功能-用于简单的访问控制,而无需详细的用户特权/权限配置 Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration.
通过一些Web编程工具进行自定义访问控制 - 用于具有所谓的priveleges /权限配置的身份验证方案。 There are many web development frameworks, which provide access control feature. 有许多Web开发框架,它们提供访问控制功能。
解决方案5
0 2010-11-02 07:02:33
thanks for your replies, between i found a code snippet that is working just fine. 感谢您的答复,我之间发现了一个工作正常的代码段。 I inserted the following lines in my .htaccess file: 我在.htaccess文件中插入了以下行:
Order deny, allow 命令拒绝,允许
deny from all 所有人都否认
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.