Jump to content

[SOLVED] .htaccess deny/allow problem


vexx

Recommended Posts

Ok, I have a problem I can't get around for the last 2 days.

 

I have a site and I decided to add a mirror for hosting some files to it.

 

Let's call this site mysite.com . For the mirror, I have added a subdomain mirror.mysite.com

 

In some pages on the site, I have references to some files from mirror.mysite.com. The problem is, I don't want anybody to hotlink them, so basically, I just want the users to get the file when clicking on links from mysite.com.

 

I figured that using the deny allow rules will resolve this problem, but it seems not, or I'm not using it correctly.

 

order deny,allow

deny from all

allow from mysite.com {tried with ip also}

 

What's wrong here?

Link to comment
Share on other sites

You can't do this.

 

Each http request is separate from all others. That mean the request for mirror.mysite.com have no idea on what site it came from or even if it was a website or a bookmark or whatever else.

 

When a client initiate a http connection it can provide a REFERER (the previous URL) that can allow you to know where it can from, but since the REFERER is provide by the client it's unreliable, modern browser will provide it, but you can easly fake it with some firefox addon or with php curl() function.

 

Unless you want to install a php solution for this (like login, session, ...) you can rely on REFERER given by the client to deny the mirror. It's unreliable but in real work it may work great since most browser provide a REFERER.

 

In your .htaccess (you will need mod_rewrite module for it to work) :

Options +FollowSymLinks

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|png|jpg)$ - [F]
</IfModule>

 

In this example it block all image (gif, png, jpg) if the REFERER don't come from www.mydomain.com or mydomain.com, change it for your need.

 

With this :

order deny,allow
deny from all
allow from 192.168.0.1

 

In this example everyone except the IP address with 192.168.0.1 are deny. It will allow 192.168.0.1 to request anything (no mater what website it came from) and deny all others request (even if they are caming from the right website).

 

Hope it help :)

Link to comment
Share on other sites

ok i tried this code in my htaccess:

 

order deny,allow
deny from all
allow from 192.168.0.1

 

i blocks everything, but also my site. i tried the site ip at allow, i tried it 192.168.* and i tried it with *.site.com (at allow). Nothing works, the page gives me forbidden everywhere. I'm guessing I don't need to add this code also right?

 

Options +FollowSymLinks

 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|png|jpg)$ - [F]
</IfModule>

 

Thank you in advance

Link to comment
Share on other sites

i'm sorry, don't know what i was thinking, i was misinterpreted it.

 

I tried your solution, but i didn't block anything.

 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?site.com/.*$ [NC]
RewriteRule \.(rar|exe|zip)$ - [F]
</IfModule>

 

i replaced the pictures execs with the ones i posted above. If I try the following link mirror.site.com/folder/file.exe the browser gets it either if it's linked on site.com or i just paste it in a different browser. I hope i didn't got this wrong either :)

Link to comment
Share on other sites

You need the Options +FollowSymLinks for mod_rewrite to work.

 

Options +FollowSymLinks

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(rar|exe|zip)$ - [F]
</IfModule>

 

Did you change the mydomain.com to yours ? Did you have mod_rewrite installed and test it ? Did you have 'AllowOverride All' in your main apache configuration file (needed to rewrite url) ? Did you clean the browser cache before trying ? What browser are you using ? As i said the REFERER rely on the browser to work (and isn't reliable but in most case it should work).

 

How did you put the link on the page ? I think most <img> <a> are fine, but i'm not sure about how browser sent the REFERER in case of a javascript.

 

I copy/paste this script after testing it from my local apache and it was working for me.

Link to comment
Share on other sites

sorry for the late responde...i got some issues couldn't be at the computer.

 

The browser used is Firefox and the links are hrefs, straight into the html. mod_rewrite is installed, the site has also some links rewritten. I just checked httpd.conf to double check and the following are on:

 

Options All
AllowOverride All

 

However, being a cpanel powered server, in the virtualhosts(httpd.conf) for that domain, i have the following:

 

Options -ExecCGI -Includes

 

but i'm not sure if I need to add the +followsymlinks directive here. is this the problem?

 

thx alot for all your help. i greatly appreciate it!

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.