TransWikia.com

Allow download of pdf files only in .htacces file

Server Fault Asked by user2033464 on January 9, 2021

I am new to editing .htaccess file I have a .htaccess file that was created for me a while ago but now I have added a new feture to my site to allow people to download pdf files but it appears my .htaccess file is preventing the script from running and giving 403 error but if I type the URL directly into the browser it downloads here is my .htaccess file

# ----------------------------------------------------------------------
# Default Lang and Basic Security Behavior
# ----------------------------------------------------------------------
# X-Powered-By hidden by default nobody will notice if you're using PHP or ASP or whatever
Header unset X-Powered-By
# Set by default UTF-8 charset
AddDefaultCharset UTF-8
# Engilsh language for this files, change it for your needs
AddLanguage en-GB .html .htm .css .js
# Set the default charset for every feed methods
AddCharset utf-8 .atom .css .js .json .rss .vtt .xml
# UK timezone, change it for your needs
SetEnv TZ   Europe/London
# Don not allow any pages to be framed - Defends against CSRF
Header set X-Frame-Options SAMEORIGIN
# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"
# Only allow JavaScript from the same domain to be run.
# Don not allow inline JavaScript to run.
Header set X-Content-Security-Policy "allow 'self';"
# Prevent mime based attacks
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
# Disable server sign
ServerSignature Off
# drop Range header when more than 5 ranges. CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK. Bytes, 0-2147483647(2GB)
LimitRequestBody 2147483647
#
#
# 301 Redirect Old File
Redirect 301 /list /property-list
# ----------------------------------------------------------------------
# Better website experience for IE users. We care of them LOL
# ----------------------------------------------------------------------
# Force the latest IE version, in various cases when it may fall back to IE7 mode
# futher details: github.com/rails/rails/commit/123eb25#commitcomment-118920
# Use ChromeFrame if it's installed for a better experience for the poor IE folks
<IfModule mod_headers.c>
  Header set X-UA-Compatible "IE=Edge,chrome=1"
  # mod_headers cannnot match by content-type, but we don't want to send this header on *everything*...
  <FilesMatch ".(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
    Header unset X-UA-Compatible
  </FilesMatch>
  # Header set P3P "policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR ADM DEV OUR BUS""
  # OR THIS, SIMPLER
  # Header set P3P "policyref="/w3c/p3p.xml""
</IfModule>
#
#
# ----------------------------------------------------------------------
# Cross-domain AJAX requests, ENABLE CSRF first (see above)
# ----------------------------------------------------------------------
# Serve cross-domain Ajax requests, disabled by default. Enable-cors.org
# code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
#  <IfModule mod_headers.c>
#    Header set Access-Control-Allow-Origin "*"
#  </IfModule>
#
#
# ----------------------------------------------------------------------
# CORS-enabled images (@crossorigin)
# ----------------------------------------------------------------------
# Send CORS headers if browsers request them; enabled by default for images.
# futher details:
# - developer.mozilla.org/en/CORS_Enabled_Image
# - blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
# - hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
# - wiki.mozilla.org/Security/Reviews/crossoriginAttribute
<IfModule mod_setenvif.c>
  <IfModule mod_headers.c>
    # mod_headers, y u no match by Content-Type?!
    <FilesMatch ".(gif|png|jpe?g|svg|svgz|ico|webp)$">
      SetEnvIf Origin ":" IS_CORS
      Header set Access-Control-Allow-Origin "*" env=IS_CORS
    </FilesMatch>
  </IfModule>
</IfModule>
#
# ----------------------------------------------------------------------
# Webfont access
# ----------------------------------------------------------------------
# Allow access from all domains for webfonts.Alternatively you could only whitelist your
# subdomains like "subdomain.example.com".
<IfModule mod_headers.c>
  <FilesMatch ".(ttf|ttc|otf|eot|woff|font.css)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
</IfModule>
#
#
# ----------------------------------------------------------------------
# Proper MIME type for all files
# ----------------------------------------------------------------------
# JavaScript
# Normalize to standard type (it is sniffed in IE anyways)
# futher details: tools.ietf.org/html/rfc4329#section-7.2
AddType application/javascript         js jsonp
AddType application/json               json
#
# Audio
#
AddType audio/ogg                      oga ogg
AddType audio/mp4                      m4a f4a f4b
#
# Video
#
AddType video/ogg                      ogv
AddType video/mp4                      mp4 m4v f4v f4p
AddType video/webm                     webm
AddType video/x-flv                    flv
#
# SVG
# Required for svg webfonts on iPad
# futher details: twitter.com/FontSquirrel/status/14855840545
#
AddType     image/svg+xml              svg svgz
AddEncoding gzip                       svgz
#
# Webfonts
#
AddType application/vnd.ms-fontobject  eot
AddType application/x-font-ttf         ttf ttc
AddType font/opentype                  otf
AddType application/x-font-woff        woff
#
# Assorted types
#
AddType image/x-icon                        ico
AddType image/webp                          webp
AddType text/cache-manifest                 appcache manifest
AddType text/x-component                    htc
AddType application/xml                     rss atom xml rdf
AddType application/x-chrome-extension      crx
AddType application/x-opera-extension       oex
AddType application/x-xpinstall             xpi
AddType application/octet-stream            safariextz
AddType application/pdf                     pdf
AddType application/x-web-app-manifest+json webapp
AddType text/x-vcard                        vcf
AddType application/x-shockwave-flash       swf
AddType text/vtt                            vtt
#
#
# ----------------------------------------------------------------------
# Allow concatenation from within specific js and css files
# ----------------------------------------------------------------------
# e.g. Inside of script.combined.js you could have
#   <!--#include file="libs/jquery-1.5.0.min.js" -->
#   <!--#include file="plugins/jquery.idletimer.js" -->
# and they would be included into this single file.
# This is not in use in the boilerplate as it stands. You may
# choose to use this technique if you do not have a build process.
#<FilesMatch ".combined.js$">
#  Options +Includes
#  AddOutputFilterByType INCLUDES application/javascript application/json
#  SetOutputFilter INCLUDES
#</FilesMatch>
#<FilesMatch ".combined.css$">
#  Options +Includes
#  AddOutputFilterByType INCLUDES text/css
#  SetOutputFilter INCLUDES
#</FilesMatch>
#
#
# ----------------------------------------------------------------------
# Gzip compression
# ----------------------------------------------------------------------
<IfModule mod_gzip.c>
    mod_gzip_on       Yes
    mod_gzip_dechunk  Yes
    mod_gzip_item_include file      .(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler   ^cgi-script$
    mod_gzip_item_include mime      ^text/.*
    mod_gzip_item_include mime      ^application/x-javascript.*
    mod_gzip_item_exclude mime      ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
<IfModule mod_deflate.c>
  # Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
  <IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
      SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)s*,?s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
      RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
    </IfModule>
  </IfModule>
  # Compress all output labeled with one of the following MIME-types
  <IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE application/atom+xml 
                                  application/javascript 
                                  application/json 
                                  application/rss+xml 
                                  application/vnd.ms-fontobject 
                                  application/x-font-ttf 
                                  application/xhtml+xml 
                                  application/xml 
                                  font/opentype 
                                  image/svg+xml 
                                  image/x-icon 
                                  text/css 
                                  text/html 
                                  text/plain 
                                  text/x-component 
                                  text/xml
  </IfModule>
</IfModule>
#
#
# ----------------------------------------------------------------------
# Expires headers (for better cache control)
# ----------------------------------------------------------------------
# These are pretty far-future expires headers.
# They assume you control versioning with filename-based cache busting
# Additionally, consider that outdated proxies may miscache
# futher details: www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
# If you don nott use filenames to version, lower the CSS and JS to something like "access plus 1 week".
# 1 YEAR - does not change often
<FilesMatch ".(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$">
  ExpiresDefault A29030400
</FilesMatch>
<IfModule mod_expires.c>
  ExpiresActive on
#
# Perhaps better to whitelist expires rules? Perhaps.
#
  ExpiresDefault                          "access plus 1 month"
#
# cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
#
  ExpiresByType text/cache-manifest       "access plus 0 seconds"
#
# Your document html
#
ExpiresByType text/html                 "access plus 0 seconds"
#
# Data
#
  ExpiresByType text/xml                  "access plus 0 seconds"
  ExpiresByType application/xml           "access plus 0 seconds"
  ExpiresByType application/json          "access plus 0 seconds"
#
# Feed
#
  ExpiresByType application/rss+xml       "access plus 1 hour"
  ExpiresByType application/atom+xml      "access plus 1 hour"
#
# Favicon (cannot be renamed)
#
  ExpiresByType image/x-icon              "access plus 1 month"
#
# Media: images, video, audio
#
  ExpiresByType image/gif                 "access plus 1 month"
  ExpiresByType image/png                 "access plus 1 month"
  ExpiresByType image/jpeg                "access plus 1 month"
  ExpiresByType video/ogg                 "access plus 1 month"
  ExpiresByType audio/ogg                 "access plus 1 month"
  ExpiresByType video/mp4                 "access plus 1 month"
  ExpiresByType video/webm                "access plus 1 month"
#
# HTC files  (css3pie)
#
  ExpiresByType text/x-component          "access plus 1 month"
#
# Webfonts
#
  ExpiresByType application/x-font-ttf    "access plus 1 month"
  ExpiresByType font/opentype             "access plus 1 month"
  ExpiresByType application/x-font-woff   "access plus 1 month"
  ExpiresByType image/svg+xml             "access plus 1 month"
  ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
#
# CSS and JavaScript
#
  ExpiresByType text/css                  "access plus 1 year"
  ExpiresByType application/javascript    "access plus 1 year"
</IfModule>
#
#
# ----------------------------------------------------------------------
# Prevent mobile network providers from modifying your site
# ----------------------------------------------------------------------
# The following header prevents modification of your code over 3G on some
# European providers.
# This is the official 'bypass' suggested by O2 in the UK.
<IfModule mod_headers.c>
    Header set Cache-Control "no-transform"
</IfModule>
#
#
# ----------------------------------------------------------------------
# ETag removal
# ----------------------------------------------------------------------
# FileETag None is not enough for every server.
<IfModule mod_headers.c>
  Header unset ETag
</IfModule>
# Since we are sending far-future expires, we don not need ETags for
# static content.
# futher details: developer.yahoo.com/performance/rules.html#etags
FileETag None
#
#
# ----------------------------------------------------------------------
# Stop screen flicker in IE on CSS rollovers
# ----------------------------------------------------------------------
# The following directives stop screen flicker in IE on CSS rollovers - in
# combination with the "ExpiresByType" rules for images (see above).
BrowserMatch "MSIE" brokenvary=1
BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
BrowserMatch "Opera" !brokenvary
SetEnvIf brokenvary 1 force-no-vary
#
#
# ----------------------------------------------------------------------
# Set Keep-Alive Header
# ----------------------------------------------------------------------
# Keep-Alive allows the server to send multiple requests through one
# TCP-connection. Be aware of possible disadvantages of this setting. Turn on
# if you serve a lot of static content.
<IfModule mod_headers.c>
    Header set Connection Keep-Alive
</IfModule>
#
#
# ----------------------------------------------------------------------
# Cookie setting from iframes
# ----------------------------------------------------------------------
# Allow cookies to be set from iframes (for IE only)
# If needed, specify a path or regex in the Location directive.
 <IfModule mod_headers.c>
   Header set P3P "policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT""
 </IfModule>
#
#
<IfModule mod_rewrite.c>

    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    ##
    ## You may need to uncomment the following line for some hosting environments,
    ## if you have installed to a subdirectory, enter the name here also.
    ##
    # RewriteBase /

    ##
    ## Uncomment following lines to force HTTPS.
    ##
    # RewriteCond %{HTTPS} off
    # RewriteRule (.*) https://%{SERVER_NAME}/$1 [L,R=301]
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    # Canonical www redirect
    # RewriteCond %{HTTP_HOST} !^www.
    # RewriteRule (.*) https://www.%{HTTP_HOST}/$1 [R,L]
    ## Remove Bad Bots from crawling ##
    # IF THE UA STARTS WITH THESE
    # Block spambots
    #
    RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]
    #
    ## STARTS WITH WEB
    #
    RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]
    #
    ## ANYWHERE IN UA -- GREEDY REGEX
    #
    RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
    #
    ## ISSUE 403 / SERVE ERRORDOCUMENT
    #
    RewriteRule . - [F,L]
    #1
    ## Useragents starting with
    #
    RewriteCond %{HTTP_USER_AGENT} ^atraxbot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Azureus [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^geohasher [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^PycURL [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Python-urllib [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^research-scan-bot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Sosospider [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Wget [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^xenu [NC,OR]
    #
    ## User agents contains string
    #
    RewriteCond %{HTTP_USER_AGENT} ^.*casper [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*goblox [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*sun4u [NC]
    RewriteRule ^(.*)$ - [F]
    #
    ## Disable blank UA
    ## Blank UA and Referer
    #
    RewriteCond %{HTTP_REFERER} ^$ [NC]
    RewriteCond %{HTTP_USER_AGENT} ^$ [NC]
    RewriteRule .* - [F,L]
    #
    ## Prevent use of specified methods in HTTP Request
    #
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
    #
    ## Block out use of illegal or unsafe characters in the HTTP Request
    #
    RewriteCond %{THE_REQUEST} ^.*(\r|\n|%0A|%0D).* [NC,OR]
    #
    ## Block out use of illegal or unsafe characters in the Referer Variable of the HTTP Request
    ## RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    ## Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request
    #
    RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    #
    ## Block out use of illegal characters in URI or use of malformed URI
    #
    RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\..\).{0,9999}.* [NC,OR]
    #
    ## Block out  use of empty User Agent Strings
    ## NOTE - disable this rule if your site is integrated with Payment Gateways such as PayPal
    ## RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    ## Block out  use of illegal or unsafe characters in the User Agent variable
    #
    RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    #
    ## Measures to block out  SQL injection attacks
    #
    RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|"|'|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
    #
    ## Block out  reference to localhost/loopback/127.0.0.1 in the Query String
    #
    RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127.0.0.1).* [NC,OR]
    #
    ## Block out  use of illegal or unsafe characters in the Query String variable
    #
    RewriteCond %{QUERY_STRING} ^.*(<|>|'|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
    #2
    ########## Begin - File injection protection, by SigSiu.net
    RewriteCond %{REQUEST_METHOD} GET
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
    RewriteRule .* - [F]
    ########## End - File injection protection
    #
    #
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
    #
    # proc/self/environ? no way!
    #
    RewriteCond %{QUERY_STRING} proc/self/environ [NC,OR]
    #
    ## PHP-CGI Vulnerability
    #
    RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
    RewriteRule (.*) - [F,L]

    ##
    ## Black listed folders
    ##
    RewriteRule ^bootstrap/.* index.php [L,NC]
    RewriteRule ^config/.* index.php [L,NC]
    RewriteRule ^vendor/.* index.php [L,NC]
    RewriteRule ^storage/cms/.* index.php [L,NC]
    RewriteRule ^storage/logs/.* index.php [L,NC]
    RewriteRule ^storage/framework/.* index.php [L,NC]
    RewriteRule ^storage/temp/protected/.* index.php [L,NC]
    RewriteRule ^storage/app/uploads/protected/.* index.php [L,NC]

    ##
    ## White listed folders
    ##
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} !/.well-known/*
    RewriteCond %{REQUEST_FILENAME} !/storage/app/uploads/.*
    RewriteCond %{REQUEST_FILENAME} !/storage/app/media/.*
    RewriteCond %{REQUEST_FILENAME} !/storage/temp/public/.*
    RewriteCond %{REQUEST_FILENAME} !/themes/.*/(assets|resources)/.*
    RewriteCond %{REQUEST_FILENAME} !/plugins/.*/(assets|resources)/.*
    RewriteCond %{REQUEST_FILENAME} !/modules/.*/(assets|resources)/.*
    RewriteRule !^index.php index.php [L,NC]

    ##
    ## Block all PHP files, except index
    ##
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} .php$
    RewriteRule !^index.php index.php [L,NC]

    ##
    ## Standard routes
    ##
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

</IfModule>
# ----------------------------------------------------------------------
# A little more security
# ----------------------------------------------------------------------
# To avoid displaying the exact version number of Apache being used, add the
# following to httpd.conf (it will not work in .htaccess):
# ServerTokens Prod
IndexIgnore *
# "-Indexes" will have Apache block users from browsing folders without a
# default document Usually you should leave this activated, because you
# should not allow everybody to surf through every folder on your server (which
# includes rather private places like CMS system folders).
<IfModule mod_autoindex.c>
  Options -Indexes
  Options -ExecCGI
</IfModule>
# Block access to "hidden" directories or files whose names begin with a
# period. This includes directories used by version control systems such as
# Subversion or Git.
<IfModule mod_rewrite.c>
  RewriteCond %{SCRIPT_FILENAME} -d [OR]
  RewriteCond %{SCRIPT_FILENAME} -f
  RewriteRule "(^|/)." - [F]
</IfModule>
# Block access to backup and source files. These files may be left by some
# text/html editors and pose a great security danger, when anyone can access
# them.
<FilesMatch "(.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
  Order allow,deny
  Deny from all
  Satisfy All
</FilesMatch>
AddHandler cgi-script .pl .py .asp .shtml .sh .cgi
# optional logging.
# CustomLog insert-path-and-name-of-log common env=bad-range
# If your server is not already configured as such, the following directive
# should be uncommented in order to set PHP is register_globals option to OFF.
# This closes a major security hole that is abused by most XSS (cross-site
# scripting) attacks. For more information: http://php.net/register_globals
#

script

title = "download"
url = "/download"
is_hidden = 0
robot_index = "index"
robot_follow = "follow"
==
<?php
function onStart(){
  use CmsClassesTheme;
    $theme =  Theme::getActiveTheme();
    $paths = Config::get('cms.themesPath', '/themes').'/'.$theme->getDirName();
    $name = Input::get('name');
    $actual_link = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http");
    $file = $actual_link .'://'. $_SERVER['HTTP_HOST'].'/themes/laratify-octobercms-octaskin/assets/pdf/'. $name;
    $path = $file; // the file made available for download via this PHP file
    $mm_type="application/octet-stream"; // modify accordingly to the file type of $path, but in most cases no need to do so
    header("Pragma: public");
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
    header("Cache-Control: public");
    header("Content-Description: File Transfer");
    header("Content-Type: " . $mm_type);
    header("Content-Length: " .(string)  ( file_exists($path) && filesize (filesize($path))) );
    header('Content-Disposition: attachment; filename="'.basename($path).'"');
    header("Content-Transfer-Encoding: binaryn");

    readfile($path); // outputs the content of the file

exit();
    }

?>
==

I an trying not to break my site the pdf’s are only available to logged in users, the script works fine with the bare minimum htaccess file but this is ubove my head

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP