Zum Inhalt springen

Secure downloads with naw_securedl

Extension Key: naw_securedl

TYPO3 Version:6 LTS

Please note

The development of naw_securedl has been discontinued in the meantime. The developers recommend using the secure_downloads extension instead. Please refer to the manual of this extension for information on the range of functions, installation and configuration.

Introduction

Sometimes it can be necessary and useful to secure files that are offered for download on a website to a certain extent. For example, PDF files with internal company data could only be made available to certain user groups.

Although TYPO3 offers the option of making pages or content elements available only to logged-in front-end users, the downloading of files cannot be completely secured in this way. Even if the link to the download is located in a secure area of the website, the file itself is not protected. Anyone who finds out the link in any way can download this file directly.

This is where the naw_securedl extension comes into play. With the help of this extension, any file types and folders on the web space can be secured against a direct download. To do this, the extension redirects the direct links to files using a script. In addition, the directories to be protected can be protected against direct access with a few lines in an .htaccess file. Even if the link to the file is now known, a direct call to this link will only result in an error message.

The combination of frontend user groups and naw_securedl therefore ensures relatively secure protection of the files.

Installation

The extension is installed as usual via the extension manager. To do this, search for the extension key naw_securedl.

Configuration

The extension is configured directly in the extension manager. To do this, search for the extension key in the installed extensions area. In TYPO3 6.x, click on the gear icon in the right-hand column.

In TYPO3 4.x, click on the name of the extension and then on the "Configuration" tab.

Configuration options

The following options are available in the Extension Manager:

forcedownloadtype
List of file types that should not be opened within the browser, but should only be offered as a download. The file extensions are separated by the pipe symbol |. The option only applies if the forcedownload parameter is set.
Example: pdf|doc|xls|rar|tgz|tar|gz

additionalMimeTypes
List of additional MIME types to be secured.
Example: txt|text/plain,html|text/html

forcedownload
Activating the checkbox for this option causes the file types specified above to be downloaded instead of being displayed inline in the browser.

filetype
List of file types to be secured, separated by the pipe symbol |
Default: pdf|jpe?g|gif|png|doc|xls|rar|tgz|tar|gz

securedDirs
Specifies which directories are to be protected.
Default: typo3temp|fileadmin|uploads
Attention: under TYPO3 6.x, protecting typo3temp ensures that images can no longer be displayed enlarged in a lightbox, for example, because the File Abstraction Layer (FAL) stores the already processed images in the typo3temp/_processed_/ directory. Therefore, the default setting may need to be changed here.
You can also specify subdirectories here, for example: fileadmin/user_upload/secured/|uploads
In this case, only the folders would be secured and uploads would be protected.

domain
The domain can be entered here; this is not necessary for internal links.

Log each file access
Activating this checkbox ensures that downloads are logged; the data can be viewed via the Download traffic backend module.

The remaining parameters do not normally need to be changed. Details on these parameters can be found in the extension documentation.

Creating a directory for protected content (optional)

If you do not want to protect the entire fileadmin/ directory, you can also protect one or more subdirectories.

To do this, use the file list module to create a secured directory below user_upload, for example. You can then upload files that are to be protected to this directory.

You must then enter the path to this directory in the securedDirs field in the extension manager (see above).

Protect directory against direct download

After these steps, the links to the files in the frontend are already redirected via the script. Nevertheless, you could still download the files if you enter the path directly in the address bar of the browser.

To prevent this, it is necessary to create an .htaccess file in the directories to be protected, which prevents direct downloading.

naw_securedl already comes with a few sample files. These are located in the directory typo3conf/ext/naw_securedl/res/

You can, for example, copy the file _.htaccess_deny to the directory to be protected using the Midnight Commander on the shell and then rename this file to .htaccess.

This .htaccess file ensures that certain file types are not delivered directly by the web server. Attention is also paid to different spellings for the file types.

The example .htaccess has the following content:

<FilesMatch "\.([Pp][Dd][Ff]|[Jj][Pp][Ee]?[Gg]|[Gg][Ii][Ff]|[Pp][Nn][Gg]|[Dd][Oo][Cc]|[Xx][Ll][Ss]|[Rr][Aa][Rr]|[Tt][Gg][Zz]|[Tt][Aa][Rr]|[Gg]$
Order deny,allow
Deny from all
Allow from none
</FilesMatch>

If you now set links to files in TYPO3 content elements, they will look like the following screenshot in the frontend, for example:

It should also be noted that when using Direct Mail, the images included in the newsletters must not be located in a protected directory.

Generate 403 error page

If you now try to call up a file by entering the direct link in the address line of the browser, only a 403 error (access prohibited) is generated and the visitor is shown the error page of the web server.

However, it is better to show the visitor a separate error page, perhaps explaining why they cannot download the file directly.

To do this, you can create a normal page in the TYPO3 backend (not visible in the menu). The name of the page is of course arbitrary.

To ensure that the web server also delivers this page in the event of a 403 error, an additional line is required in the .htaccess file in the root directory of the website, i.e. not in the directory to be protected, but where the index.php of the TYPO3 installation is located.

The URL to the error page is stored in this .htaccess file.

When using RealUrl or CoolUri, for example

ErrorDocument 403 http://name-der-domain.de/zugriff-verweigert/

Without RealUrl/CoolUri according to the pattern

ErrorDocument 403 http://name-der-domain.de/index.php?id=xy

Where xy would be the ID of the error page generated above.

"Hide" the protected directory from search engines

If you also want to exclude the protected directories from indexing by search engines, create a file called robots.txt in the root directory of the website.

This file can then have the following content, for example:

User-agent: *
Disallow: /fileadmin/user_upload/secured/
Disallow: /fileadmin/protected_directory/

This tells the search engine spiders not to include the named directories and the files they contain in the search index. Most search engines such as Google or Bing also adhere to these guidelines.

This page contains automatically translated content.

Updated: 17.07.2024