帮助使用 htaccess 和 php 保护文件访问?
我正在开发一个允许用户购买数字内容的网站,并实现了一种尝试提供安全下载服务的方法。
我正在使用 CodeIgniter 强制下载,如下所示:
$file = file_get_contents($path);
force_download("my_file_name.zip", $file);
当然,我确保用户在提供下载之前可以使用数据库访问该文件,但我想知道是否有一种方法可以使这些文件更安全。
我使用一些 8-10 个字母键来创建文件路径,因此文件的 url 并不容易找出...类似于 http://mysite.com/as67Hgr/asdo0980/uth89 .zip
代替 http://mysite.com/downloads/my_file.zip
。
另外,我使用 .htaccess 来拒绝目录浏览,如下所示:Options All -Indexes
。
除此之外...我不知道该采取什么步骤。我看过建议使用 .htaccess 的用户名和密码方法的文章,但我不明白如何绕过使用该方法时出现的密码提示。
我希望有一种方法可以使用标头和 cUrl (或类似的东西)发送用户名和密码组合,但我不知道从哪里开始。
任何帮助将不胜感激。提前致谢!
I'm working on a site that allows users to purchase digital content and have implemented a method that attempts to serve secure downloads.
I'm using CodeIgniter to force downloads like this:
$file = file_get_contents($path);
force_download("my_file_name.zip", $file);
Of course, I make sure the user has access to the file using a database before serving the download, but I was wondering if there was a way to make these files more secure.
I'm using a some 8-10 letter keys to create the file paths so urls to the files aren't exactly easy to figure out... something like http://mysite.com/as67Hgr/asdo0980/uth89.zip
in lieu of http://mysite.com/downloads/my_file.zip
.
Also, I'm using .htaccess to deny directory browsing like so: Options All -Indexes
.
Other than that... I have no idea what steps to take. I've seen articles suggesting username and password methods using .htaccess, but I don't understand how to bypass the password prompt that would occur using that method.
I was hoping there might be a method where I could send a username and password combination using headers and cUrl
(or something similar), but I wouldn't know where to start.
Any help would be hugely appreciated. Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
使 Web 服务器在任何情况下都不会提供文件服务,否则所有检查都毫无意义。最好的方法是将它们放在网络根目录之外的某个位置。即:
然后,如果访问它们的唯一方法是通过您的脚本,那么它就像您制作脚本一样安全。
Make it so the web server does not serve the files under any circumstances, otherwise all the checking is pretty moot. The best way to do that is to put them somewhere outside the webroot. I.e.:
Then, if the only way to access them is through your script, it's as secure as you make your script.
为什么不在
.htaccess
中直接Deny from All
?或者将文件放在 webroot 之上?这就足够了。但你当前的设置已经相当安全了。为什么你认为你需要帮助?why not to just
Deny from All
in the.htaccess
? Or place files above webroot? That would be enough. But your current setup is pretty safe already. Why do you think you need any help?如果您希望它们只能从本地主机下载,.htaccess 应该如下所示。此外,它还删除了一些可能尝试访问任何文件的处理程序,以防万一。这样只有您才能访问它。另外一个好主意是在其中存储一个 index.php 文件来检查另一个文件是否存在,如果存在,则设置标头,如果不存在,则退出。
.htaccess 文件:
.htaccess should look like this if you want them to only be downloadable from your localhost. Also, it removes some handlers that that could try to access any of the files, just in case. So that way only you have access to it. Also a good idea to store an index.php file in there that checks the existance of another file, and if exists, set the header, if not, exit.
.htaccess file: