"Securing" albums folder on apache server?

[gregblach]

Hello experts,

Have succesfully downloaded and installed cpg, and am very happy with it. I am running it on a hosted server (www.one.com) running Apache/MySQL.

I am using the batch upload feature, where I create my own folders under the system default 'albums' folder. Works like a charme.

I am requiring users to log in, but I can see that my pictures are not secured against direct access, e.g.: http://www.domainnameremoved.dk/galleri/cpg1418/albums/petergrossbryllupsbilleder/PGD0001.jpg

Can someone help me how to go about securing from I guess the 'albums' folder and down?

/G

[alligator]

You can create a file called .htaccess in your albums folder. Important is the "." in front of the file.
The file tells the webserver, that all files described by FilesMatch which are below this directory should only be accessible when linked from your domain.
It is not 100% since a malicious download program might be configured to transfer a suitable referer.

.htaccess

Code Select Expand

SetEnvIfNoCase Referer "^http://www.yourdomain.de/" locally_linked=1
SetEnvIfNoCase Referer "^http://yourdomain.de/" locally_linked=1
SetEnvIfNoCase Referer "^https://www.yourdomain.de/" locally_linked=1
SetEnvIfNoCase Referer "^https://yourdomain.de/" locally_linked=1


<FilesMatch "\.(avi|AVI|gif|png|jpe?g|JPG|tif?f|TIF?F|MOV|mov)$">
  Order Allow,Deny
  Allow from env=locally_linked
</FilesMatch>

Replace yourdomain.de with your domainname. Perhaps you only need one of http and https or you have a different subdomain then www, maybe cpg.yourdomain.com

Perhaps you need to restart the apache to complete it, I'm not sure.

If you have videos in your gallery they might not be viewable anymore, since the video plugins don't seem to transfer the referer 

[Joachim Müller]

Also keep in mind that pseudo-security apps like the notorious "Norton Internet Security" and similar crap out of the box turn referers off. Legitimate visitors of your site who use such apps on their machines will therefor not be able to see the embedded pics and will probably not be aware how to change this (if they knew what they are doing, they wouldn't be using such crappy apps in the first place). This being said, there are a lot of disadvantages if you want to do what you're up to, so make sure that you have made up your mind thoroughly before applying such things. Questions like yours have been asked and answered before already - you might want to read up those previous discussions.

[gregblach]

alligator -> Your suggestion seems to do the trick. Thanks a bunch!!

Joachim Müller -> Didn't know of this behaviour. It's just that: Why require username/password login, if the pictures are available to the public anyway? Is there a different way to achieve what I am trying to do, or some sort of best practice?

/G

[gregblach]

Hmmm... I see what you mean now. Gallery is not working on various machines now, including my wifes WinVista running Symantec Antivirus. Strange thing is that it does not work running Internet Explorer, however it does when running Firefox 2!!?

Is there any other way to solve my request?

[Joachim Müller]

Actually, no. If you're really concerned about security, don't upload pics that are not meant for the public at all. As I suggested above, this discussion has already been lead very often, so there are some threads where people asked the same question as you: you'd have to hack coppermine in a very extreme way to make the pics get stored outside of the webroot and each time a legitimate user tries to view a pic, a temporary image needs to be created from the orginal and later be destroyed using some garbage collection schemes. This requires a very skilled coder and a not-so-small amount of time to accomplish what you're up to. Such a solution would consume huge resources on the webserver, so you're bound to get in trouble with your webhost pretty soon.
Your best bet is to disable directory browsing (using .htaccess) and not use a naming scheme for your uploads that is easy to guess. That will not give you absolute security, but it should work. Works for me at least. In fact works for most users.