htaccess--specific link

[clarkmurray]

Is there a way to code an htaccess file to allow access to a directory only if the request comes from a specific link?

 

[feherke]

Hi

[gray](...)[/gray] the request comes from a specific link?

No request comes from a link. Requests comes from a user agent.

What do you want to check ? The [tt]REMOTE_ADDR[/tt] or the [tt]HTTP_REFERER[/tt] ? Theoretically :

[gray]# REMOTE_ADDR[/gray]
<Directory /to/protect>
  Order deny,allow
  Deny from all
  Allow from ok.example.com
</Directory>

[gray]# HTTP_REFERER[/gray]
SetEnvIf Referer ok.example.com granted
<Directory /to/protect>
  Order Deny,Allow
  Deny from all
  Allow from env=granted
</Directory>

Feherke.

http://rootshell.be/~feherke/

 

[clarkmurray]

Thanks. HTTP_REFERER should work. I'll try to test it tonight. Can I combine this with password authorization? In other words, I want somebody to have access either from a specific referrer or if they have a login and password. Somthing like:

# HTTP_REFERER
SetEnvIf Referer ok.example.com granted
<Directory /to/protect>
Order Deny,Allow
Deny from all
Allow from env=granted
</Directory>
# LOGIN/PASSWORD
AuthType Basic
AuthName "Protected Area"
AuthUserFile /to/protect/.htpasswd
require valid-user

 

[feherke]

Hi

Better not use the HTTP_REFERER for this. Can be easily faked. For example with Links : Setup | Network options | HTTP options :
[tt]
[X] No referer
[ ] Send requested URL as referer
[ ] Send real referer (normal operation, INSECURE!!!)
[ ] Fixed referer
[/tt]
If you want to protect something, then use password based authentication.

Feherke.

http://rootshell.be/~feherke/

 

[clarkmurray]

In this particular case the referrer would be another directory on my site which is password protected. I don't think that could be faked.

 

[feherke]

Hi

I post the list of related Links settings to show how easy is to fake the referrer. Only need to fill a dialog.
Anyone can send a request to the web server for example with [tt]telnet[/tt]. And in that request can write whatever he wants.

Feherke.

http://rootshell.be/~feherke/

 

[clarkmurray]

I appreciate your pointing out the risk to me. However, it is a business risk I am willing to take. Practically speaking, it means that someone who knows how to do this will steal one of my download products periodically. I take more of a risk on PayPal right now. There are other reasons why I need referrer access as well as password access.

My immediate issue is that if I include both pieces of code that I posted, Apache interprets it as BOTH are required--a valid referrer AND a login/password. I need EITHER/OR. How do I do that?

 

[spewn]

building off this, i need to change the DirectoryIndex only if a request comes from a specific website...

for example...

if (REFERRER =

http://www.me.com)

{DirectoryIndex index1.html;}
else {DirectoryIndex index.html}

sorry about the conditional syntax, but i don't know how to setup the HTACCESS...

right now, here's my .htaccess:

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>

<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

any ideas?

- g

 

[feherke]

Hi

Not tried, but the documentation says to put this after those settings :

Satisfy Any

http://httpd.apache.org/docs/2.0/mod/core.html#satisfy

Feherke.

http://rootshell.be/~feherke/

 

[feherke]

Hi

i need to change the DirectoryIndex only if a request comes from a specific website...

As I know, such things can be only simulated using mode_rewrite :

RewriteEngine on
RewriteCond %{HTTP_REFERER} [URL unfurl="true"]www.me.com[/URL]
RewriteRule ^$ index1.html

Ps : For new question please start new thread.

Feherke.

http://rootshell.be/~feherke/

 

[clarkmurray]

I tested 'Satisfy Any' and it works as documented. Exactly what I need. Thanks for your help.