let ppl play an mp3 but not let them access the file
Posted by bambinou, 11-10-2012, 09:32 AM Hi, I have a folder with many mp3s, I do not want people to access that folder but also I have to put it in the "public" area of the website or my demos(previews) won't play. What is the best way to stop bots and humans from accessing the file directly but still let me script send the songs as downloads(I have a script that encrypt the url). the script is situated in a folder like this: http://mysite.com/folderhere Thank you, Ben
Posted by APX, 11-10-2012, 09:51 AM Have you tried just putting in a blank index.html file? Would that work for you?
Posted by EksoKen, 11-10-2012, 10:03 AM or maybe password protect the folder ??
Posted by FINESEC, 11-10-2012, 10:12 AM You should disable indexing for this directory (in apache config / htaccess): Options -Indexes
Posted by FINESEC, 11-10-2012, 10:31 AM Placing a .htaccess file inside this directory and adding "Options -Indexes" to this file might just work depending on AllowOverride settings.
Posted by MilesWeb, 11-10-2012, 10:33 AM Hi Ben.. Disable directory listing of files should help. A code in htaccess OR placing a index.html file should be enough.
Posted by bambinou, 11-10-2012, 10:37 AM Thank you for all your replies. So I will add an index.html file in that directory to stop people from seeing the files directly, then add this code: Options -Indexes in a .htaccess file I will create in that folder, is this correct? Thank you, Ben
Posted by Evixo, 11-10-2012, 10:47 AM There's no need to put the MP3's in the public_html folder. Your script can access the MP3's while they are one level up the public_html folder. Users are not able to access the folder but your script can.
Posted by bambinou, 11-10-2012, 10:49 AM Hi, I have download the mp3 script from mainscriptworld and in the doc it says, do not put the preview mp3s in a folder that is below the root or the users wont be able to stream the mp3s. Streaming is done directly from the user to the mp3 and not via a script. Thank you, Ben
Posted by bambinou, 11-10-2012, 03:21 PM I have tried this method Options -Indexes unfortunately, it stops people from playing the player mp3s. It work to stop the folder access but kills the mp3 players Any other solutions please? Thanks, Ben
Posted by FINESEC, 11-10-2012, 03:38 PM What kind of mp3 player do you use?
Posted by bambinou, 11-10-2012, 04:13 PM Hi, I am using the dew player but can use and other free alternative if this is possible. Just to clarify, the site is in php and the songs are not being passed via xml playlists but purely via a file path. People do not log in to listen to the songs as I do not have a login feature in the website. I was wondering if there was a way to get like a middle man script that stream the mp3 for the client, this way the htccess file can protect public users from accessing all the songs form the internet but not the script itself. Right now the full folder is on the net unprotected, even if I rename the folder to something complex, they will still see the paths in the mp3 player. Regards, Ben
Posted by bambinou, 11-11-2012, 07:32 PM Hello everyone, I am having a real problem here. I have a script that delivers the mp3 download with link encryption. The problem is that my folder has to be here in order for the public to play the file: http://mysite.com/music-folder I have 2 problems with that: 1)Anyone can see the url link in my mp3 players.(dew player) 2)Anyone can access the full folder and see all the songs inside. My questions are: I tried to block direct access to that folder via htaccess, but unfortunately it also blocks the mp3 player from playing the file to the public. How can I block direct access to the folder but still let people play the songs? I understand that people download the song in the cache in order to play it but what I am worried about is that someone download all my 180+ songs in one go. Please help, Thanks, Ben
Posted by Evixo, 11-11-2012, 08:34 PM merged>> Like I said: Last edited by foobic; 11-11-2012 at 09:43 PM.
Posted by foobic, 11-11-2012, 09:58 PM Merged. Please keep it in the one thread. When you have a Flash player (running in the visitor's browser) playing mp3s, that's effectively the same as the visitor downloading the file. Putting the files outside of public_html will obviously block both. However: This suggests that your Flash player needs to be able to read the directory listing, which doesn't make much sense if you're giving it direct links to each mp3 file. Perhaps you made a mistake in testing this, or if not, a different player would probably allow you to block directory indexing in this way. Edit: Or does the player itself fetch a list of available mp3s? If so then it would indeed need indexes turned on. But you're still publishing all the mp3 urls on your page so disabling indexes won't really help much - anyone who wants to dig through the page source can still see all the urls and download them directly. One way to prevent this is to hide the files outside of public_html and then provide access via a script that: Checks for acceptable user behaviour (by whatever standards you set)Generates a long random filenameCreates a symlink from the real file to public_html/music_folder/random_filename.mp3Redirects (302) to example.com/music_folder/random_filename.mp3 Then you have another cleanup script eg. in a cron job, that cleans up random filenames older than x minutes. Last edited by foobic; 11-11-2012 at 10:07 PM.
Posted by bambinou, 11-12-2012, 03:57 AM Hi Chris, Thank you so much for the reply. Unfortunately, changing the folder name to something more complicated did not help, the user is still able to see all the mp3s in one go in his browser by just typing that folder name. -Generating a file randomn name won't work with my script, I am music maiascriptworld(the mp3 module) and you have to set the mp3s file name to download in the admin panel, no idea how to ask the script to give a new name each time. -for this one: "Creates a symlink from the real file to public_html/music_folder/random_filename.mp3" , I do not really understand what I have to do here sorry. -For the redirection, how would you do it could you please give me an example? Thank you, Ben
Posted by foobic, 11-12-2012, 04:28 AM Changing the folder name was never part of the plan. You'd create a script, say called music.php. Then in your player you'd set the individual track urls to example.com/music.php?track=1, example.com/music.php?track=2 etc. Then when a request comes in, the script would do its stuff and redirect to kasdfhlaskdfhalk.mp3, a temporary filename that will work for playing the requested track, but will only exist for a few minutes before it gets deleted automatically. And then if a user tries to download all your songs at once, the script can detect that (by logging cookies / IP addresses) and refuse to cooperate.
Posted by bambinou, 11-12-2012, 05:38 AM Hi Foobic, I see......I did not think about that, thank you . No I understand, the script will access the file itself and not the user, enabling me to protect the folder itself from public views. For the download, it is ok as I can set it to a folder below the root, the script works that way already. But for the listening , this will be useful. Thanks Foobic :-) Ben