使用PHP / Apache来限制访问静态文件(HTML,CSS,IMG等)静态、文件、Apache、PHP
可以说,你有很多的HTML,CSS,JS,IMG等文件服务器上的目录中。通常情况下,在互联网土地的任何用户可以通过简单地键入了完整的URL访问这些文件:http://example.com/static-files/sub/index.html
Lets say you have lots of html, css, js, img and etc files within a directory on your server. Normally, any user in internet-land could access those files by simply typing in the full URL like so: http://example.com/static-files/sub/index.html
现在,如果你只希望授权的用户能够加载这些文件是什么?在这个例子中,假设你的用户登录后首先从这样的URL: http://example.com/login.php
Now, what if you only want authorized users to be able to load those files? For this example, lets say your users log in first from a URL like this: http://example.com/login.php
你将如何让登录的用户可查看index.html文件(或文件下的静态文件),但文件限制到其他人?
How would you allow the logged in user to view the index.html file (or any of the files under "static-files"), but restrict the file to everyone else?
我已经提出了两种可能的解决方案迄今:
I have come up with two possible solutions thus far:
解决方法1 在静态文件创建以下.htaccess文件:
Solution 1 Create the following .htaccess file under "static-files":
Options +FollowSymLinks
RewriteEngine on
RewriteRule ^(.*)$ ../authorize.php?file=$1 [NC]
然后在authorize.php ...
And then in authorize.php...
if (isLoggedInUser()) readfile('static-files/'.$_REQUEST['file']);
else echo 'denied';
这authorize.php文件是极了简化,但你的想法。
This authorize.php file is grossly over simplified, but you get the idea.
解决方案2 在静态文件创建以下.htaccess文件:
Solution 2 Create the following .htaccess file under "static-files":
Order Deny,Allow
Deny from all
Allow from 000.000.000.000
然后我的登录页面可以追加一条.htaccess文件与IP为记录每个用户。显然,这还需要有某种形式的清理程序的清除出旧的或不再使用的IP。
And then my login page could append that .htaccess file with an IP for each user that logs in. Obviously this would also need to have some kind of cleanup routine to purge out old or no longer used IPs.
我担心我的第一个解决方案可以让服务器的用户和他们正在访问的增加文件的数量上pretty的昂贵。我想,我的第二个解决办法是便宜得多,而且也不太安全,由于IP欺骗等。我还担心写这些IP地址的htaccess文件有可能成为应用的一个瓶颈,如果有许多用户同时使用。
I worry that my first solution could get pretty expensive on the server as the number of users and files they are accessing increases. I think my second solution would be much less expensive, but is also less secure due to IP spoofing and etc. I also worry that writing these IP addresses to the htaccess file could become a bottleneck of the application if there are many simultaneous users.
哪个这些解决方案听起来更好,为什么?或者,你能想到的一个完全不同的解决方案,这将是比任何这些好?
Which of these solutions sounds better, and why? Alternatively, can you think of a completely different solution that would be better than either of these?
推荐答案
我会考虑使用PHP加载器来处理身份验证,然后返回你需要的文件。例如,而不是做< IMG SRC =picture.jpg'/> 执行类似< IMG SRC ='load_image.php?图像= picture.jpg'/>
I would consider using a PHP loader to handle authentication and then return the files you need. For example instead of doing <img src='picture.jpg' /> Do something like <img src='load_image.php?image=picture.jpg' />.
您的图像加载器可以验证会话,检查证书等,然后再决定是否将所需的文件返回给浏览器。这将允许你保存你所有的安全文件的网络访问根目录以外所以没有人会只是他们的wget或浏览出现意外。
Your image loader can verify sessions, check credentials, etc. and then decide whether or not to return the requested file to the browser. This will allow you to store all of your secure files outside of the web accessible root so nobody is going to just WGET them or browse there 'accidentally'.
记得刚回到正确的标题在PHP和PHP做类似的ReadFile(),并且将文件内容返回给浏览器。
Just remember to return the right headers in PHP and do something like readfile() in php and that will return the file contents to the browser.
我已经使用这个非常设置几个大型的安全网站,它就像一个魅力。
I have used this very setup on several large scale secure website and it works like a charm.
编辑:系统我目前正在建设使用这个方法来加载JavaScript,图片和视频,但CSS我们不是很担心有安全
The system I am currently building uses this method to load Javascript, Images, and Video but CSS we aren't very worried with securing.
