[SOLVED] .htaccess deny/allow problem

[vexx]

Ok, I have a problem I can't get around for the last 2 days.

 

I have a site and I decided to add a mirror for hosting some files to it.

 

Let's call this site mysite.com . For the mirror, I have added a subdomain mirror.mysite.com

 

In some pages on the site, I have references to some files from mirror.mysite.com. The problem is, I don't want anybody to hotlink them, so basically, I just want the users to get the file when clicking on links from mysite.com.

 

I figured that using the deny allow rules will resolve this problem, but it seems not, or I'm not using it correctly.

 

order deny,allow

deny from all

allow from mysite.com {tried with ip also}

 

What's wrong here?

[gffg4574fghsDSGDGKJYM]

You can't do this.

 

Each http request is separate from all others. That mean the request for mirror.mysite.com have no idea on what site it came from or even if it was a website or a bookmark or whatever else.

 

When a client initiate a http connection it can provide a REFERER (the previous URL) that can allow you to know where it can from, but since the REFERER is provide by the client it's unreliable, modern browser will provide it, but you can easly fake it with some firefox addon or with php curl() function.

 

Unless you want to install a php solution for this (like login, session, ...) you can rely on REFERER given by the client to deny the mirror. It's unreliable but in real work it may work great since most browser provide a REFERER.

 

In your .htaccess (you will need mod_rewrite module for it to work) :

Options +FollowSymLinks

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|png|jpg)$ - [F]
</IfModule>

 

In this example it block all image (gif, png, jpg) if the REFERER don't come from www.mydomain.com or mydomain.com, change it for your need.

 

With this :

order deny,allow
deny from all
allow from 192.168.0.1

 

In this example everyone except the IP address with 192.168.0.1 are deny. It will allow 192.168.0.1 to request anything (no mater what website it came from) and deny all others request (even if they are caming from the right website).

 

Hope it help

[vexx]

ok i tried this code in my htaccess:

 

order deny,allow
deny from all
allow from 192.168.0.1

 

i blocks everything, but also my site. i tried the site ip at allow, i tried it 192.168.* and i tried it with *.site.com (at allow). Nothing works, the page gives me forbidden everywhere. I'm guessing I don't need to add this code also right?

 

Options +FollowSymLinks

 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|png|jpg)$ - [F]
</IfModule>

 

Thank you in advance

[gffg4574fghsDSGDGKJYM]

You didn't read my post at all did you ?

 

I told you what order deny, allo, deny from all actually does, not to use it, isn't the answer to your problem, DO NOT use it.

 

Read my first post. The answer is there.

[vexx]

i'm sorry, don't know what i was thinking, i was misinterpreted it.

 

I tried your solution, but i didn't block anything.

 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?site.com/.*$ [NC]
RewriteRule \.(rar|exe|zip)$ - [F]
</IfModule>

 

i replaced the pictures execs with the ones i posted above. If I try the following link mirror.site.com/folder/file.exe the browser gets it either if it's linked on site.com or i just paste it in a different browser. I hope i didn't got this wrong either

[gffg4574fghsDSGDGKJYM]

You need the Options +FollowSymLinks for mod_rewrite to work.

 

Options +FollowSymLinks

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(rar|exe|zip)$ - [F]
</IfModule>

 

Did you change the mydomain.com to yours ? Did you have mod_rewrite installed and test it ? Did you have 'AllowOverride All' in your main apache configuration file (needed to rewrite url) ? Did you clean the browser cache before trying ? What browser are you using ? As i said the REFERER rely on the browser to work (and isn't reliable but in most case it should work).

 

How did you put the link on the page ? I think most <img> <a> are fine, but i'm not sure about how browser sent the REFERER in case of a javascript.

 

I copy/paste this script after testing it from my local apache and it was working for me.

[vexx]

sorry for the late responde...i got some issues couldn't be at the computer.

 

The browser used is Firefox and the links are hrefs, straight into the html. mod_rewrite is installed, the site has also some links rewritten. I just checked httpd.conf to double check and the following are on:

 

Options All
AllowOverride All

 

However, being a cpanel powered server, in the virtualhosts(httpd.conf) for that domain, i have the following:

 

Options -ExecCGI -Includes

 

but i'm not sure if I need to add the +followsymlinks directive here. is this the problem?

 

thx alot for all your help. i greatly appreciate it!

 

 

[vexx]

i tried with +followsymlinks in the virtualhost directory...no go...any idea?