logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Allow access from specific referrer?
Author
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Fri 18 Jan '08 14:38    Post subject: Allow access from specific referrer? Reply with quote

I haven't done any testing yet, but is anyone familiar with exactly how to deny requests from all http requests except from a specific sub domain referrer. I was thinking of trying something similar to this. Any tips would be appreciated.

Code:
  SetEnvIf Referer "^https://www.mydomain.com/" thisisthegoodone
    <Directory /my/directory>
       Order Deny,Allow
       Deny from all
       Allow from env=thisisthegoodone
    </Directory>


Will this be restrictive if a browser doesn't send referral info? Are there some out there that don't?

Thanks

Tony
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Fri 18 Jan '08 15:33    Post subject: Reply with quote

One mistake - you need to escape the dots in the domain name:
Code:
SetEnvIf Referer "^https://www\.mydomain\.com/" thisisthegoodone
    <Directory /my/directory>
       Order Deny,Allow
       Deny from all
       Allow from env=thisisthegoodone
    </Directory>

Browsers send a Referer header only when the user clicks on a link, but not when the user types (or pastes) a URL into their browser.

Access will only be allowed when the user comes from a link which is not on your web site. If the link is from your own web site, you may not get the leading "https://www.mydomain.com/" portion of the URL in the Referer field, but just a relative URI instead. This case will also get blocked.

In any case, relying on the Referer header is not very secure. A clever hacker who is not using a browser can put anything they want into the Referer header.

-tom-
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Fri 18 Jan '08 15:42    Post subject: Reply with quote

Which leads me to....any suggestions? I don't need silver platter code...just a push in the right direction is usually enough!

Thanks
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Sat 19 Jan '08 19:18    Post subject: Reply with quote

tdonovan wrote:
One mistake - you need to escape the dots in the domain name:
Code:
SetEnvIf Referer "^https://www\.mydomain\.com/" thisisthegoodone
    <Directory /my/directory>
       Order Deny,Allow
       Deny from all
       Allow from env=thisisthegoodone
    </Directory>

Browsers send a Referer header only when the user clicks on a link, but not when the user types (or pastes) a URL into their browser.

Access will only be allowed when the user comes from a link which is not on your web site. If the link is from your own web site, you may not get the leading "https://www.mydomain.com/" portion of the URL in the Referer field, but just a relative URI instead. This case will also get blocked.

In any case, relying on the Referer header is not very secure. A clever hacker who is not using a browser can put anything they want into the Referer header.

-tom-


I'm going to send from one domain to a subdomain on a different server. Would this be a better method?

Code:
<Directory /var/www/mydirectory/>
Order allow,deny
Allow from 192.168.1.0/24
Allow from 192.168.1.1/24
</Directory>
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Sun 20 Jan '08 0:31    Post subject: Reply with quote

Actually...I realize now that that won't work either since the client will be coming from various other addresses. I believe allowing a referrer "links from my other webservers" will be good enough. I don't care too much if people can get to the server directly by creativity. I just want to force a normal user to come from a link on my main site and not bookmark links directly.
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Fri 25 Jan '08 23:03    Post subject: Reply with quote

Code:
SetEnvIf Referer "^https://www\.mydomain\.com/" thisisthegoodone
    <Directory /my/directory>
       Order Deny,Allow
       Deny from all
       Allow from env=thisisthegoodone
    </Directory>


The referrer value is not being set when I click on a redirect html page on the mydomain server to the new server. Is there a way to redirect to force a referrer to be set?
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Mon 28 Jan '08 23:31    Post subject: Reply with quote

What about setting a cookie and then use mod_rewrite to check for the cookie and rewrite to an error page if it isn't present?
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Thu 31 Jan '08 16:08    Post subject: Reply with quote

FYI...this may not be totally reliable, but this is what I have in place on my test system.

Code:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https://srv1\.imydomain\.com(/.*)?$ [NC]
RewriteRule \.(gif|exe|pdf)$ https://srv1\.imydomain\.com/notlinked\.html [NC,R,L]


This is put in my vhost section on a server in different sub domain. Seems to work well for what little testing I've done so far.
Back to top
epohcj



Joined: 06 Feb 2008
Posts: 5

PostPosted: Wed 06 Feb '08 20:26    Post subject: Reply with quote

brewdude wrote:
FYI...this may not be totally reliable, but this is what I have in place on my test system.

Code:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https://srv1\.imydomain\.com(/.*)?$ [NC]
RewriteRule \.(gif|exe|pdf)$ https://srv1\.imydomain\.com/notlinked\.html [NC,R,L]


This is put in my vhost section on a server in different sub domain. Seems to work well for what little testing I've done so far.



what if i want the referral link to be http://domain.com/dir/file.htm
how would i rewrite RewriteCond %{HTTP_REFERER} !^https://srv1\.imydomain\.com(/.*)?$
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Wed 06 Feb '08 20:34    Post subject: Reply with quote

just a guess but I think it would be

Code:
RewriteCond %{HTTP_REFERER} !^http://domain\.com/dir/file.htm?$
Back to top
epohcj



Joined: 06 Feb 2008
Posts: 5

PostPosted: Wed 06 Feb '08 20:43    Post subject: Reply with quote

it didn't work, though i've also to escape the . in .html like this \.html but it didn't work. any other suggestion or guess?
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Wed 06 Feb '08 20:53    Post subject: Reply with quote

Ah...forgot the last ".". How about

Code:
RewriteCond %{HTTP_REFERER} !^http://domain\.com/dir/file(.*)?$ [NC]
Back to top
epohcj



Joined: 06 Feb 2008
Posts: 5

PostPosted: Thu 07 Feb '08 1:04    Post subject: Reply with quote

this one is not working either
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Thu 07 Feb '08 1:23    Post subject: Reply with quote

I would add this after your rewrite statements and see if there is anything in the log that's apparent.

Code:
RewriteLog logs/rewrite.log
RewriteLogLevel 9
Back to top
epohcj



Joined: 06 Feb 2008
Posts: 5

PostPosted: Thu 07 Feb '08 5:26    Post subject: Reply with quote

ok, i will do that
Back to top
epohcj



Joined: 06 Feb 2008
Posts: 5

PostPosted: Thu 07 Feb '08 7:48    Post subject: Reply with quote

it gives me the following error "RewriteLog not allowed here"
Back to top
brewdude



Joined: 18 Jan 2008
Posts: 12

PostPosted: Wed 13 Feb '08 17:26    Post subject: Reply with quote

If you use my example for an ".htm" file you need to add it to the file extensions listed in the rewrite rule. The rule will pass any file extensions not implicitly defined.
Back to top


Reply to topic   Topic: Allow access from specific referrer? View previous topic :: View next topic
Post new topic   Forum Index -> Apache