Secure downloads

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
User avatar
John connor
Registered User
Posts: 2344
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Secure downloads

Post by John connor » Sat Nov 30, 2019 12:56 am

What exactly are secure downloads and can someone tell me what all the options mean? Thanks.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3405
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Secure downloads

Post by thecoalman » Sat Nov 30, 2019 1:21 pm

phpBB files are served through a script and are already "secured" through permissions. e.g. only the sender and recipient can view an attachment sent in a PM. Attachments posted to forums are based on group permissions. If you have a private forum a group that has no download permissions they cannot view files posted in that forum. Note I said download permissions because you can allow the downloading of files and deny access to the forum.

As side not be aware when using a caching service like Cloudflare if you enable caching of file.php download permissions go out the window.

The secure downloads should be self explanatory and adds additional layer of security because you can include/exclude downloads by IP etc. It's effectively a firewall but just applies to attachments. The usefulness of this is quite limited.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

User avatar
John connor
Registered User
Posts: 2344
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Secure downloads

Post by John connor » Sun Dec 01, 2019 6:06 am

Can I add my server IP for the IP address only allowed for downloads, or is that IP address for clients?

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3405
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Secure downloads

Post by thecoalman » Sun Dec 01, 2019 9:01 pm

John what are you trying to do? To reiterate I'm not sure what the usefulness of this feature provides to most people. For example suppose you were using phpBB for you business and it can be accessed over the internet. You could restrict access to files to just internal connections.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

User avatar
John connor
Registered User
Posts: 2344
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Secure downloads

Post by John connor » Mon Dec 02, 2019 3:40 am

I was just thinking I can somewhat help prevent image hijacking from the board by restricting the download/view of attachments to my board only.

I use AWS S3 for attachments which at present are only for images. I saw some code to use in S3 to prevent users who don't have my board referrer from downloading the images, but I could not get that code to work at AWS S3. So I thought perhaps I could somewhat do this phpBB side instead. Granted I know referrers can easily be forged, but it's better than nothing.

So I was just wondering if that IP address restriction feature would work to just keep all images delivered from my IP only. But I don't think it works like that but rather restricting access to other IPs from an Intranet like you mention.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3405
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Secure downloads

Post by thecoalman » Mon Dec 02, 2019 7:49 am

John connor wrote:
Mon Dec 02, 2019 3:40 am
I was just thinking I can somewhat help prevent image hijacking from the board by restricting the download/view of attachments to my board only.
You would do this by the referrer using htacess rule, specifics for AWS I don't know. You can search for block hotlinking for more information. The referrer is sent by browser and can't be relied on. Unlikely but it could be spoofed, the larger issue it may not be sent, some browsers don't send it while in privacy mode.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

Post Reply

Return to “[3.2.x] Support Forum”