We has some proprietary audio files we are streaming via html5. These files sit in an Amazon S3 bucket.
The audio files have special high and low pass filters and other scientific alterations and were recorded by our own orchestra.
The files won't be available for direct download, but we are streaming them with html5 audio.
Any super user could easily watch the http requests, see what the audio file url is, punch that in their address bar, then download it. Which is against our terms of agreement which they agree to.
We want it so only our website can access the files and use them within our application.
I can see that you can allow by IP:
<Directory /var/www/>
<Files filename.ext>
Order allow,deny
Allow from 192.168.1.1
</Files>
</Directory>
But what about by domain name/server?
Would putting our server IP there do the trick? Local IP? I wouldn't think so since I am guessing that checks against the client's IP from the browser.
I understand anyone with the right sound card or software can record the files themselves while listening. Oh well, my goal isn't to make it impossible, its to make it harder.
So the question in a nutshell is, how do I make it so only our website can access the audio files and stream them to the user?
Thanks!
Sadly, this is trying to solve a Layer 8 problem (People stealing content) at Layer ... 7? It can't be done. Once they have the content, they have it. What is your threat model? If you've already said "this is against policy", then it's against policy. You could put some code in place that if the same IP makes the same request for the same file within 5 minutes, deny access to it.
The problem is that you are thinking "only our webserver can access the files", but with HTML5, you're serving the content.
Unfortunately, when it comes to protecting content, there are lots of bad ways to do it (iTunes music store, protected WMA files, etc.) and really not many good ways. This might be better suited as a programmatic question than a server configuration question.