0

I have a question, is it possible to still download files from a lighttpd webserver with the following option activated? :

 $HTTP["referer"] !~ "^(http://example\.com|http://www\.example\.com)" {
 url.access-deny = ( "" )}

What this code does, is to restrict access for all files, only to www.example.com. I currently have this installed on my server and i want to know if with this method my files are secured and if there is any method to still download the files, and eating up my the bandwidth. Thank You!

user3453390
  • 1
  • 1

1 Answers1

1

The "Referer" header simply means "where does the client claim to be coming from?" Putting in a restriction like you did makes casual hot-linking harder, but won't do anything to stop a dedicated attacker.

As a side effect, people using some browser privacy extensions will be unable to access your files.

Mark
  • 2,792
  • 2
  • 18
  • 31
  • I understand, so you are saying that is relatively simple to still download the files? – user3453390 Mar 29 '14 at 23:10
  • 1
    Anyone can fake a "Referer" header, and some browser extensions will do it automatically. Restrictions like you're using should be considered nothing more than a first line of defense against unauthorized downloads. – Mark Mar 29 '14 at 23:13
  • What would you recommend for accessing the files only from specific domain? – user3453390 Mar 29 '14 at 23:34
  • That really depends on what you're trying to protect against, how much effort you're to put in, and how you feel about various trade-offs. For example, you could make filenames only valid for a short time, but that requires your web pages to be dynamically generated, and you can't use caching to improve performance. – Mark Mar 30 '14 at 00:26
  • Thank you Mark for your time. What i want to do, is video streaming and i am trying to protect the videos against leeching and hotlinking, i already have configured mod_secdownload and mod_flv_streaming only that the flv it's not what i need, i need to stream mp4, because converting from mp4 to flv it's taking very long, on my vps with 2 GB RAM and 2+ CPU. I didn't managed to install the h264 streaming module, so i am trying different ways. A good help would be a tutorial for installing h264 mod for lighttpd, i found a lot of them on Google, but none that worked for me. Thank you again! – user3453390 Mar 30 '14 at 11:34