htaccess to allow only one domain

Forum Moderators: phranque

Message Too Old, No Replies

htaccess to allow only one domain

stevep

8:03 am on May 27, 2011 (gmt 0)

I am struggling with what I thought would be a simple task.

I have a folder full of pages
www.mydomain.com/secret/

I only want to allow access to any of the pages in that folder if the person is coming from a link on one other website
www.otherdomain.com

So far I have a .htaccess file in the /secret/ folder which says -

AuthType Basic
<Limit GET>
order deny,allow
deny from all
allow from .*otherdomain\.com.*
</Limit>

But I get Forbidden from everywhere, even a link on otherdomain.com.

I suspect it's the syntax of that Allow line, but I have tried just plain www.otherdomain.com, and a few other variations!

Any help gratefully received

coopster

1:54 pm on May 27, 2011 (gmt 0)

Hello stevep and welcome to WebmasterWorld.

I'm not a big fan of <Limit> and in this case you may be better served using <Directory> or <Location>. You can read about the differences in the Apache Documentation. Online version is here: [httpd.apache.org...]

I'm not trying to tell you what to do, just offering some alternatives that you may consider. Also, you have an errant AuthType floating there, unless you pasted partial code here. If you aren't using it, remove that line. Finally, the root of your problem seems to be as you mentioned, that allow syntax. Have a look at the Allow directive in the Apache documentation linked earlier here and you will see how you can specify a domain name properly.

Once again, welcome to WebmasterWorld!

stevep

2:14 pm on May 27, 2011 (gmt 0)

Many thanks - I will get reading!

wilderness

2:32 pm on May 27, 2011 (gmt 0)

Both the escape characters and the wildcard characters are invalid (at least in your example) in the application of "deny from" and "allow".

Apache gives this example:

Order Deny,Allow
Deny from all
Allow from apache.org

Apache explanation to above:
n the following (above) example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
end of quote

As a side-note and depending upon both the number of pages (even types; SQL and such), and the activity (requests) on your site (s), these types of configurations could become CPU intensive-hogs.
Each request must have the domain looked up and then verified against your exception, before moving on to the next request (irregardless of page, image, css, or any other file types).

stevep

2:56 pm on May 27, 2011 (gmt 0)

I have stripped the file right down to

Order Deny,Allow
Deny from all
Allow from otherdomain.com

but am still getting the Forbidden message when I link to mydomain from a page on otherdomain.com

(I am about to go away for a week - will pick this up again on my return...)

wilderness

3:24 pm on May 27, 2011 (gmt 0)

but am still getting the Forbidden message

Have your refreshed (cleared) your browser cache?

stevep

9:46 am on Jun 9, 2011 (gmt 0)

Back from holiday, and the problem is still there...

The .htaccess file is sitting in a folder on mydomain.com.

Order Deny,Allow
Deny from all
Allow from otherdomain.com

On otherdomain.com I have a page which contains a link to mydomain.com/folder/page.html.

Clicking on the link gives a Forbidden error. So does trying to go the to page directly, as it should.

If I take the .htaccess file out, the page appears as normal to everyone, so the Deny bit is working.

Any more ideas?

wilderness

1:18 pm on Jun 9, 2011 (gmt 0)

On otherdomain.com I have a page which contains a link to mydomain.com/folder/page.html.

Clicking on the link gives a Forbidden error. So does trying to go the to page directly, as it should.

What you actually have is a refer (depending upon what your browser provides) from otherdomain.com, while your internet provider is the domain that you need to be allowing access for.
add an additional line for your internet provider domain.
test again

I'm not aware of a method of accomplishing what you desire in mod_access.
Take a look at this

RewriteCond %{HTTP_REFERER} [google.com]

MickeyRoush

9:29 pm on Jun 11, 2011 (gmt 0)

@stevep

I'm no expert, but this is what I use to achieve something similar. This would go in your 'secrets' folder. Maybe this can help point you in the right direction. Also, someone here may need to clean it up to apply for your usage.

RewriteEngine On
# If not from
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?example\.com/ [NC]
# Go to
RewriteRule .* http://example.com/ [L]

lucy24

11:29 pm on Jun 11, 2011 (gmt 0)

I'm not aware of a method of accomplishing what you desire in mod_access.

You can do it in conjunction with mod_setenvif [httpd.apache.org], which you've almost certainly got. Put it immediately before the "Order..." line.

Apache sez:
SetEnvIf attribute regex [!]env-variable[=value]

in this case

SetEnvIf Referer {name of good site here} let_in

(the last bit is a variable name of your choice) and then simply

Allow from env=let_in

I have to use it for a couple of Deny statements using the special case of BrowserMatch, so I know it works, at least on principle ;) Since it uses a regex, you don't have to tear your hair out getting the exact format with slashes and http's and anchors in the right place. It just has to match enough.

stevep

11:05 am on Jun 13, 2011 (gmt 0)

Many thanks for that pointer Lucy24, which confirmed a direction I was heading in myself after finding some other examples. I seem to have it all working with the following htaccess file -

SetEnvIf Referer otherdomain.co.uk internal
#
<Files *>
order Deny,Allow
Deny from all
Allow from env=internal
</Files>

Links from pages on otherdomain all work OK, and everybody else gets Forbidden.

Thanks to everyone for their input.

SlimMillipede

12:25 pm on Oct 24, 2011 (gmt 0)

I have used this technique in a .htaccess file to make sure that only other programs on this domain can access a particular folder. It works quite nicely.

#
# Make sure that this directory can only be accessed by other programs on this domain
#
SetEnvIfNoCase Referer my-domain.com internal 
# 
order Deny,allow 
Deny from all 
allow from env=internal

But I have run into a problem when using Google's Chrome browser, it doesn't always populate the Referer header which means that my user is denied access.
I am trying to get it work using the Origin header instead (or as well) but I can't seem to get it working properly. The following doesn't work properly

#
# Make sure that this directory can only be accessed by other programs on this domain
#
SetEnvIfNoCase Referer my-domain.com internal 
SetEnvIfNoCase origin my-domain.com internal 
# 
order Deny,allow 
Deny from all 
allow from env=internal

Has anyone else managed to get through this problem? Or can anyone suggest a better way of doing this?

lucy24

4:24 pm on Oct 24, 2011 (gmt 0)

Once you're getting into multiple variables, you may be better off using mod_rewrite. And, depending on what's in that folder, you may be able to constrain the rule to files ending in \.html (or \.php or whatever you use). This will save a bundle of processor time because it doesn't have to stop and check the conditions every time a page requests an image or style sheet.

SlimMillipede

3:16 pm on Oct 25, 2011 (gmt 0)

Performance isn't really an issue, the folder in question is part of the maintenance facilities for the site, not a public folder. It will probably be used a few times per month and is only accessed when uploading a file.

Oddly just after posting my original message the function started working properly in Chrome, I'm not sure why, perhaps I had mistyped something. The final code is;

#
# Make sure that this directory can only be accessed by other programs on this domain
#
SetEnvIfNoCase Referer my-domain.com internal 
SetEnvIfNoCase origin my-domain.com internal
# 
order Deny,allow 
Deny from all 
allow from env=internal