.htaccess RewriteRule, send requests to PHP script

.htaccessrewrite

I'm trying to protect user uploaded files in directory /secret. I created a htaccess file and placed it into that directory.

RewriteBase /secret/
RewriteCond %{REQUEST_URI} !^download.php.*$
RewriteRule .* download.php [QSA,L] #send request to php script, that script sends out the file if user is authenticated

This is working very well, as long as all the files are in that /secret directory. The problem comes when there are subdirectories, for example /secret/subfolder/document.txt. Now when I request this file with my browser, Apache sends out the file. It will not be rewritten by the rewriterule, and anyone can download that file.

Is there any trick that I could use to redirect all the request inside /secret folder to go throught download.php script? So that /secret/file.txt and /secret/subfolder/document.txt etc would all work. I can do the authentication only with php and I would like to keep my directory structure as it is, since those files are used as links on a various member only pages.

Best regards,
Jdoen

Best Answer

RewriteBase /secret/
RewriteCond %{REQUEST_URI} !^download.php.*$
RewriteRule ^(.*)$ download.php [QSA,L] #send request to php script, that script sends out the file if user is authenticated

If that doesn't work try to remove the ^ in front of ^(.*)$

Related Solutions

Mod_wsgi, .htaccess and rewriterule

Without actually testing, use something like:

<Virtualhost *:28512>

ServerName site1.com
ServerAlias www.site1.com

DocumentRoot /home/mehome/webapps/djangoprojects/site1

<Directory /home/mehome/webapps/djangoprojects/site1>
Order allow,deny
Allow from all
AddHandler wsgi-script .wsgi
Options ExecCGI

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /site.wsgi/$1 [QSA,PT,L]
</Directory>

</VirtualHost>

Put your Django WSGI script file as:

/home/mehome/webapps/djangoprojects/site1/site.wsgi

It should contain fixup as documented in mod_wsgi wiki, so it says something like:

import django.core.handlers.wsgi
_application = django.core.handlers.wsgi.WSGIHandler()

import posixpath
def application(environ, start_response):
    # Wrapper to set SCRIPT_NAME to actual mount point.
    environ['SCRIPT_NAME'] = posixpath.dirname(environ['SCRIPT_NAME'])
    if environ['SCRIPT_NAME'] == '/':
        environ['SCRIPT_NAME'] = ''
    return _application(environ, start_response)

Then have static file generator dump files in appropriate location based on URL it must match under:

/home/mehome/webapps/djangoprojects/site1

What should happen is that the rewrite rule will check if Apache found a static file for URL and if not redirect it into the Django application.

This sort of complex setup is much better being asked about on the official mod_wsgi mailing list. This example has been presented a number of times in the past and is in the mailing list archives as well as the basis for it being explained in the documentation.

Relative substitution in mod_rewrite RewriteRule

There is no way as in my knowledge that you can achieve this. You have to configure RewriteBase. One way is to automate setting up of RewriteBase using a PHP script maybe? But that will need write permission (at least) on the .htaccess. But you will have to configure the RewriteBase in .htaccess.

Related Topic