Make apache accept requests only if who sent requests is a domain i specified

Alessandro Valentino

1/25/23, 4:43 PM

I currently have an apache2 server accepting api requests on the url mydomain.com/api and i have a client application that runs at mydomain.com.
Also, in my api, one can access mydomain.com/api/files/fileId to get a file.
Now, in my client application, i have a page like mydomain.com/file/fileid which instead of directly downloading the file like the corresponding api endpoint does, it displays a page with the file information and if it is a video it has the right custom GUI to stream it. The problem is that one can access the api directly and get the file that way instead of seeing it on the website, and i want to prevent this.
The end goal is to prevent the user from downloading the file and only serving it through my website, a little bit like youtube does ( that i know of )...
Is this achievable with an apache configuration? Or should i completely change the way i am approaching this? EDIT: For now i am keeping that the file can be accessed both from the api url and the website page, but if anywaone has any idea please help thanks

0 + 0

ubuntu

apache2

djdomi

1/26/23, 9:30 AM

I think it's a duplicate like [this one](https://stackoverflow.com/questions/39550660/how-to-block-direct-download-file)

Alessandro Valentino

1/26/23, 9:52 AM

I dont think so. I already have authentication on these requests, my need is to prevent people from accessing the api url directly, and only allow my application to use it

djdomi

1/29/23, 1:58 PM

then restricted to localhost, that. might be a good solve?

Alessandro Valentino

1/29/23, 2:35 PM

If i restrict the request to localhost then my web application cannot access it, since it needss to access the resource as any other user. Or at least i dont know a way to do it, but i think thats not possible

djdomi

1/29/23, 2:42 PM

if you written this, then you should be able to do this. You can maybe also use a hidden key to allow access but that's just a thought. Remember that it exists anti leech scripts that are preventing users from knowing the real url. But serverfault is not a coding page. Stackoverflow.com would be in my mind your better choice to solve the problem in the source instead of doing and creating a workaround

Alessandro Valentino

1/29/23, 2:45 PM

I thought about using a key saved on the client but then can someone who knows some basics, navigate the js and find the key? Also, i did not know about those "leech scripts" so i will definetly look into that to see if they help my case, thanks.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Make apache accept requests only if who sent requests is a domain i specified

TH: ทำให้ apache ยอมรับคำขอก็ต่อเมื่อผู้ที่ส่งคำขอเป็นโดเมนที่ฉันระบุ

RO: Faceți ca apache să accepte cereri numai dacă cine a trimis solicitările este un domeniu pe care l-am specificat

RU: Заставить apache принимать запросы только в том случае, если отправителем запросов является домен, который я указал

VI: Làm cho apache chỉ chấp nhận yêu cầu nếu người đã gửi yêu cầu là miền tôi đã chỉ định

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.