dougan4884 2012-03-06 08:37
浏览 20
已采纳

Apache目录和图像的安全性

Basically, all the files within the Apache directory are not accessible, except for the images. The images should be accessible but only if loaded trough the website. If I set the Apache rule based on the referer is very easy to by pass: http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se Of course it's not the right choice.

My Apache conf file:

<Directory /var/www/path>
    Order allow,deny
    Deny from all
    Options -Indexes
    # Check against the referer, first level check
    SetEnvIf Referer domain1\.com domain1
    SetEnvIf Referer domain1\.com domain2
    <FilesMatch \.(jpg|jpeg|gif|png)$>
        Order deny,allow
        Deny from all
        Allow from env=domain1
        Allow from env=domain2
    </FilesMatch>
</Directory>

How can I solve this without putting the images in a DB?

Thanks

  • 写回答

1条回答 默认 最新

  • donqo88682 2012-03-06 09:08
    关注

    One way to know for sure is to run all your images through a PHP script which uses something like readfile() to check the requested image and then output it.

    For example: site.com/image.php?name=logo.jpg

    The script could check if the user has a session on your site, if they don't then it means they are requesting the image without viewing the site first (unless cookies are disabled).

    This is going to increase load time though so you have to consider the cost/benefit of implementing.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么