I’m looking to have content on a webpage that is only served if the local client has a magic key/specific cookie. No real knowledge of HTML or apache, just some very basic webpaging and finding that I honestly hate every single thing about it the more I try to learn anything.
I want to avoid anything relying on javascript, and would just like to completely restrict access to files based on parameters(file extension, file path, file metadata, specific files one at a time even) at the server level based on whether the browser can provide proof that the user should be able to see those files.
It’s not part of a login system or anything like that, just access restriction for restricted site contents.
https://httpd.apache.org/docs/2.4/howto/access.html
reading apache docs here, but the jargon is over my head and pretty indecipherable starting from nothing.
It’s a localhost serve/page for now, until I get things figured out well enough to broadcast.
Honestly, you should probably describe what you are trying to do, at what scale, how are the files organized and how important is it to keep the files private.
What does “broadcast” mean? LAN, Internet?
This sounds like a complicated, error prone way to do it and there might be better options.
In theory, a web server can set cookies and serve data based on cookie content, but you still need a mechanism to determine which user gets which cookie - so you are essentially building an authentication system at that point.
Then you need to somehow secure cookie contents and make sure user has not tampered with them. This is where you need to use authenticated encryption, a scheme which simultaneously assures the data confidentiality and authenticity, and a web server is not capable of this by itself.
Without this, there is nothing stopping the user from editing the cookie and change its contents to whatever they like.
Disclaimer: I’m not a developer, devops, or IT janitor. I just dabble a bit.
You’ll either need to be forthcoming enough with what exactly you want for someone here to write the rules for you or learn how yourself. Either way I find it’s always nice to know how things work.
The most cryptic part of rewrite rules is that they use regular expressions for pattern matching. Aside from that they’re pretty straight forward.
You can plug any regex into the site linked below to get a character by character explanation of what’s going on and how the expression matches against test strings.
The first link covers structure and elements. The second aids with the part that people tend to get hung up on, understanding regex syntax.
Start by adapting the example to the URL and cookie you’re working with. If the rule doesn’t work as expected then we can start looking into why and how to fix it.
you could also do this via php not just apache directives if you need something with some more fine grained control. it can do something, or not, with the presence of the cookie.
could get some quality of life stuff like ability to upload if you have the cookie and directory listings if you have the cookie too.
chatgpt could bang this out pretty quickly given some well written directives too
Assuming the server is setup to support scripting you’d still need a rewrite rule to funnel requests for everything that isn’t the script that generates the webpage itself to a script where the rules could be implemented.
We’re still in the dark about the details so assuming a single page that links to files that users may or may not have access to, rewrite rules alone may suffice.
I know it’s frustrating to not get a straight up answer, but please don’t be like that.
People here care about technology and are genuinely trying to help you and warn about potential dangers of your solution.
You basically said:
I don’t know anything about web servers but I know exactly what the solution should be.
I will not go into why it’s going to be a pain in the ass to maintain, but I will leave you with this:
Your internet accessible file server will get attacked minutes after it’s online. One day you will forget to update or misconfigure something, because you are re-configuring you server on a per user basis, and a hacker will replace some or all of your files with malicious ones.
Than your normie users are going to infect themselves and it’s going to be bad.
Nobody in this thread mentioned javascript other than you… Javascript runs client side and client side access control is no access control at all because it’s trivially circumvented.
You got answers… you just chose to ignore them and yes, you are running a file server. HTTP servers serve files which is why URLs that fail to correspond to a file on the server returns 404 not found. You explicitly asked how to:
@alkafrazin I have reverted the vandalism you performed on this thread. People have given you their valuable time to help you, deleting your posts like this is just plain rude.