protecting a folder

[kaliok]

Hi I am having trouble trying to protect a folder I store some javascript files in, perhaps I am placing the following code (that I have placed in an .htaccess file) in the wrong place or perhaps the code is wrong itself, any help/advice would be most appreciated. The files are used in a mini cms and would like to have it so they are only available to someone using the cms for the particular site and to stop anyone accessing the aforementioned javascript files from a remote url.

 

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www.)?thesitesname.com/.*$ [NC]

RewriteRule \.(js)$ - [F]

 

 

[madmax]

Not sure what you mean by "trouble". What exactly is the problem?

 

Also - http://httpd.apache.org/docs/2.0/howto/htaccess.html#when - When not to use .htaccess files

 

Summary...

If HTTP_REFERER is not empty AND

If HTTP_REFERER is not http://thesitename.com or http://www.thesitename.com

If file request is ending in .js then Fail

 

You are blocking access to all *.JS files on your server unless they come from other than the above two URLs?

 

I think you may at least need a "last" L - [F,L]

I also think you may need a NC on your last rule (no case)

See the mod_rewrite cheat sheet http://www.phpfreaks.com/forums/index.php/topic,126435.0.html

 

[kaliok]

Thanks for your quick response. When I say, "trouble", I mean, that the code I had used was not behaving in the way I had hoped it would.

 

I have updated the code as follows:

 

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www.)?thesitename.com/.*$ [NC]

RewriteRule \.(js)$ - [F,L,NC]

 

However I am still able to access the files from outside the url. I'm afraid I am not too good with Apache and mod_rewrite.  If it makes it any easier how would I make it so the entire folder is only accessible from the one site.

 

Thanks again for any help.

[madmax]

If you have access to the httpd conf file I'd do it in there. If it is a folder you want to protect as well as specifying the files in the folder you need to add a RewriteCond for the folder and AND these with the others (relevant to use in httpd conf follows...)

 

e.g. /scripts/*.js

 

RewriteCond  ^scripts/ [nc]

 

If instead - you still want to keep .htaccess files you need to be sure that they are being used. You need an Allow Override ... option to enable them. The way to tell would be to specify a specific log file in the .htaccess (win32 example) and see if the rule is actually getting triggered (no content would suggest not).

 

RewriteEngine On
RewriteLogLevel 5
#specify full path when used in .htaccess here since we want a specific log file and MUST know where it is going...
RewriteLog c:/apache/logs/rewrite.log
# remaining code...

 

 

 

[kaliok]

The htaccess files are definitely being used, but I just can't seem to get the right ReWrite code. I don't believe I have access to the httpd conf files though. I would really like to try and get this to work with htaccess files. Any further help would be greatly appreciated.

 

Thanks for your help so far.

[kaliok]

I think I managed to do it.

 

RewriteCond %{HTTP_REFERER} !^http://(www\.)?thesitename.com/.*$ [NC]

 

It appears I was missing a backslash after the www! Blah!

[madmax]

Lol - if I had a $ for every time I had done that, I'd have about... well a lot of $$$s

A good night's sleep is always a good cure - I ought to have spotted it myself but didnt either

Glad it's fixed