Secure DAlbum installation ensures that:
- DAlbum private files (stored in ./.private folder) cannot be accessed
from browser.
- Pictures from password-protected albums cannot be downloaded without knowing valid
username and password.
Contents:
How DAlbum creates links to images
An image pictures/folder1/test.jpg can be accessed by client browser in
two ways:
- directly - with a simple URL like www.mysite.com/photo/folder1/test.jpg
- indirectly - with a proxy PHP page as www.mysite.com/photo/photo.php?file=/folder1/test.jpg
This behavior is configured by $g_bDirectAccess variable in
config.php.
Indirect links
When $g_bDirectAccess is set to false (default setting), all images
are returned indirectly through PHP script photo.php. photo.php verifies that user
has appropriate access rights to view the image and, if all is fine, returns it
to client browser.
The obvious drawback of this method is that PHP script is executed every time
an image is downloaded and security check is performed even if the image is publicly
available.
The benefit is flexibility - DAlbum script has control of every image
download and may deny access if a certain condition is true. This can be used to
prevent direct linking as will be discussed in FAQ.
Another benefit of indirect linking is that images can be stored outside of your
web root location. For example, if the web root is /var/www/html, images
can be stored in /home/john and be accessible.
Direct links
When $g_bDirectAccess is set to true, all public images are returned
with direct links and DAlbum does not get control when an image is downloaded.
Private images (which are available only to authenticated users) are still returned
with indirect links to enable permission check. However, when
Basic HTTP Authentication is enabled, private image paths
are also returned as direct links - it's up to Apache to verify access rights in
this case.
Direct linking is fast: images are served by web server without calling PHP.
Flexibility suffers a little as image files must be kept inside web root. Script
also must know how to translate a filename (/photo/folder1/test.jpg) to a URL visible
from outside (www.mysite.com/something/photo/filder1/test.jpg). This is achieved
by setting $g_sAlbumsRootBrowser variable.
For example, there is a shared hosting and
From browser this pictures directory would be accessible as www.mysite.com/users/john/pictures.
To let DAlbum correctly translate filename to browser URL, $g_sAlbumsRootBrowser
must be set as follows:
$g_sAlbumsRootBrowser="/users/john/pictures";
This way an image /home/users/john/pictures/folder1/test.jpg will be linked
as www.mysite.com/users/john/pictures/folder1/test.jpg and successfully displayed
in client browser.
Securing DAlbum installation on Apache
When Apache web-server is used, DAlbum installation is relatively secure
right after it is unpacked. Access security is achieved via set of .htaccess files.
The main .htaccess file located in the installation directory disables
access to files starting with a dot:
Satisfy All
<Files ~ "^\.">
order allow,deny
allow from all
deny from all
</Files>
Files in .private folder contain only files starting with a dot and thus
cannot not be accessed. Additional .htaccess in ./config blocks all
access to this directory, and files from ./include do not contain any sensitive
information nor can be used to hack the script.
The only directory that requires additional protection is ./pictures
and its subdirectories. To prevent unauthorized access to private images,
DAlbum reindex automatically creates .htaccess in all private folders.
Format of this .htaccess file depends on $g_sPrivateDir directory
setting. If $g_sPrivateDir starts with a dot and thus contains a relative
path, DAlbum creates a simple .htaccess file that blocks all HTTP
access to the folder.
When$g_sPrivateDir contains absolute path, basic
HTTP authentication can be used to access the image.
For example, DAlbum samples contain protected album "Tremblant" which
can be accessed only by users user and admin.
$g_sPrivateDir is set to absolute path:
$g_sPrivateDir="/var/html/sample/pictures/.private";
A special variable $g_sSiteRootDir may also be required on virtual hosts
to specify URL prefix from Apache perspective. In my particular hosting case the
setting is:
$g_sSiteRootDir="/home/virtual/site221/fst";
but it will be different on your host, check already existing .htaccess
files, Apache logs or contact your ISP to obtain this information. Quite likely
your host will be satisfied with the default value which is an empty string.
Generated .htaccess file for "Tremblant" folder looks as follows:
AuthName "Photo Album"
AuthType Basic
AuthUserFile /home/virtual/site221/fst/var/html/dalbum/sample/.private/.htpasswd
Satisfy All
<Limit GET POST>
require user admin user
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
<Files .albumdef.ini>
order allow,deny
deny from all
</Files>
In other words, DAlbum .htpasswd file is used for authentication by Apache
and access is only granted to admin and user. You may verify it by
connecting to
http://www.delx.ca/dalbum/sample/pictures/Mountains/Tremblant/_res/res_IMG_2879.JPG
. The username/password is user/user or admin/admin.
Basic HTTP authentication
Basic HTTP authentication can only be used if PHP is installed as Apache module
on Apache web server. It cannot be used with Microsoft IIS, or if PHP is running as
CGI (most ISPs have PHP installed as CGI for security reasons).
In this case there are no Login/Logoff pages any longer and standard browser
"Enter password" dialog is used instead:
It speeds up the server considerably: Apache does authentication and permission
checks much faster than interpreted PHP script.
Before enabling basic HTTP authentication, specify $g_sPrivateDir as absolute
path, reindex and verify on one of your private albums that correct .htaccess files
are created.
Then edit config.php and set:
$g_bDirectAccess=true;
...
$g_bHTTPAuth=true;
Basic HTTP authentication and PHP CGI
If all images in your album are password protected, basic HTTP authentication can be used even with PHP in CGI mode.
In order to use it follow instructions in Basic HTTP authentication and
create the following .htaccess file in DAlbum root directory:
AuthName "Photo Album"
AuthType Basic
AuthUserFile /var/html/dalbum/sample/.private/.htpasswd
Satisfy All
require valid-user
<Files ~ "^\.">
order allow,deny
allow from all
deny from all
</Files>
First four lines should be taken from .htaccess files inside ./pictures
directory. It is very important that AuthName and AuthUserFile are identical
in all .htaccess files. AuthName for .htaccess DAlbum creates
is configured in $g_sAuthName variable in config.php.
Note that username/password will be required at all times to access pictures and
no anonymous access is allowed.
Securing DAlbum on Microsoft IIS
As MicrosoftIIS ignores all .htaccess files supplied with DAlbum,
you need to
secure your installation manually. Go to Properties of
the following DAlbum subdirectories:
- ./private
- ./config
- ./include
- ./pictures
and disable Read, Write and Directory browsing:
As DAlbum cannot change access control rights to directories with .htaccess
files and cannot share .htpasswd file with IIS, it is best to keep direct access
to images switched off in config.php (these are default
settings):
$g_bDirectAccess=false;
...
$g_bHTTPAuth=false;
|