htaccess rule

[tommo6210]

Hi,

I'm trying to work out how to setup a rule that I can put in the htaccess file for a particular directory, so that the files within can only be viewed if the request (link) to open the file came from within my website.

e.g. would only open if linked to from any page in the

http://example.co.uk

or

http://test.example.co.uk

website.

i.e. if you tried to navigate to the page directly by typing the URL in, it wouldn't open.

I presume that I'd have to have a rule setup looking at the http referrer... I tried this, but it doesn't work (I get a 403 forbidden error whether I use the link from within the site, or just type the URL in manually). I've obviously got something wrong...

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} !^[URL unfurl="true"]http://test.example\.co.uk/[/URL] [NC]
RewriteCond %{HTTP_REFERER} !^[URL unfurl="true"]http://example\.co.uk/[/URL] [NC]
RewriteRule ^.*$ [URL unfurl="true"]http://www.example.co.uk/not_allowed_here.htm[/URL] [R=301,L]

Any help gratefully received.
Regards,
Chris.

 

[RhythmAce]

A much simpler way is to use the Order allow, deny directives. This will only allow access to a particular directory if the referer matches. Here's an example of what I mean:

Order allow, deny
allow from

http://mydomain.com/thispageonly.html

Here's what's happening. The Order directive tells apache to parse the allow statements before the deny statements and set the default state to deny. So everything is denied except for what you allow. You can allow an ip address or range of ip addresses, an entire domain or a specific page from that domain.

 

[tommo6210]

Hi RhythmAce,

Thanks for the suggestion...

I had to remove the http:// part, otherwise I got a 500 server error.

So, I've got...

Order Allow,Deny
Allow from test.fmsystem.co.uk

But it now seems to give a 403 forbidden whether I'm linking from a page in the test.fmsystem.co.uk site or not...

After a bit more research, I've also tried:

SetEnvIfNoCase Referer "^[URL unfurl="true"]http://test.fmsystem.co.uk/"[/URL] locally_linked=1
SetEnvIfNoCase Referer "^[URL unfurl="true"]http://test.fmsystem.co.uk$"[/URL] locally_linked=1
Order Allow,Deny
Allow from env=locally_linked

But that denies, even if I'm linking from a page in the test.fmsystem.co.uk site as well.

I'm beginning to wonder if the referer is being sent correctly. Is there a way of displaying what the system thinks the referer is, to try to 'debug' what's happening?

Regards,
Chris.

 

[tommo6210]

Problem solved...

The original script that I had would have worked.

I discovered that the http referer variable isn't carried into a newly opened popup window, in internet explorer (firefox works ok).

Therefore, the htaccess script was always testing against an empty HTTP_REFERER variable.

To resolve this, I have had to:

1) Open the popup window to a 'dummy' page, sending the page that I want to get to in a 'get' variable
2) Then immediately navigate to the page that I really wanted to open (this way the http referer is sent from the dummy page).

I achieved this by putting an empty form on the dummy page (with the form 'action' being set to the page that I actually wanted to go to, and the form method set to 'get').

I then used javascript to immediately submit the form using the onload event.

Probably not particularly elegant, but it works in both internet explorer and firefox...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[/URL]
<html xmlns="[URL unfurl="true"]http://www.w3.org/1999/xhtml">[/URL]
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Dummy Page</title>
<script type="text/javascript">
function subm() {
 document.inputform.submit();
}
</script>
</head>
<body onload="subm();">
<form name="inputform" action="<?php echo $_REQUEST['url']; ?>" method="get">
</form>
</body>
</html>