| Author |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
 Posted: Fri 18 Jan '08 14:38 Post subject: Allow access from specific referrer? |
 |
|
I haven't done any testing yet, but is anyone familiar with exactly how to deny requests from all http requests except from a specific sub domain referrer. I was thinking of trying something similar to this. Any tips would be appreciated.
| Code: | SetEnvIf Referer "^https://www.mydomain.com/" thisisthegoodone
<Directory /my/directory>
Order Deny,Allow
Deny from all
Allow from env=thisisthegoodone
</Directory>
|
Will this be restrictive if a browser doesn't send referral info? Are there some out there that don't?
Thanks
Tony |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA
|
| Posted: Fri 18 Jan '08 15:33 Post subject: |
|
|
One mistake - you need to escape the dots in the domain name: | Code: | SetEnvIf Referer "^https://www\.mydomain\.com/" thisisthegoodone
<Directory /my/directory>
Order Deny,Allow
Deny from all
Allow from env=thisisthegoodone
</Directory> |
Browsers send a Referer header only when the user clicks on a link, but not when the user types (or pastes) a URL into their browser.
Access will only be allowed when the user comes from a link which is not on your web site. If the link is from your own web site, you may not get the leading "https://www.mydomain.com/" portion of the URL in the Referer field, but just a relative URI instead. This case will also get blocked.
In any case, relying on the Referer header is not very secure. A clever hacker who is not using a browser can put anything they want into the Referer header.
-tom- |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Fri 18 Jan '08 15:42 Post subject: |
|
|
Which leads me to....any suggestions? I don't need silver platter code...just a push in the right direction is usually enough!
Thanks |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Sat 19 Jan '08 19:18 Post subject: |
|
|
| tdonovan wrote: | One mistake - you need to escape the dots in the domain name: | Code: | SetEnvIf Referer "^https://www\.mydomain\.com/" thisisthegoodone
<Directory /my/directory>
Order Deny,Allow
Deny from all
Allow from env=thisisthegoodone
</Directory> |
Browsers send a Referer header only when the user clicks on a link, but not when the user types (or pastes) a URL into their browser.
Access will only be allowed when the user comes from a link which is not on your web site. If the link is from your own web site, you may not get the leading "https://www.mydomain.com/" portion of the URL in the Referer field, but just a relative URI instead. This case will also get blocked.
In any case, relying on the Referer header is not very secure. A clever hacker who is not using a browser can put anything they want into the Referer header.
-tom- |
I'm going to send from one domain to a subdomain on a different server. Would this be a better method?
| Code: | <Directory /var/www/mydirectory/>
Order allow,deny
Allow from 192.168.1.0/24
Allow from 192.168.1.1/24
</Directory> |
|
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Sun 20 Jan '08 0:31 Post subject: |
|
|
| Actually...I realize now that that won't work either since the client will be coming from various other addresses. I believe allowing a referrer "links from my other webservers" will be good enough. I don't care too much if people can get to the server directly by creativity. I just want to force a normal user to come from a link on my main site and not bookmark links directly. |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Fri 25 Jan '08 23:03 Post subject: |
|
|
| Code: | SetEnvIf Referer "^https://www\.mydomain\.com/" thisisthegoodone
<Directory /my/directory>
Order Deny,Allow
Deny from all
Allow from env=thisisthegoodone
</Directory> |
The referrer value is not being set when I click on a redirect html page on the mydomain server to the new server. Is there a way to redirect to force a referrer to be set? |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Mon 28 Jan '08 23:31 Post subject: |
|
|
| What about setting a cookie and then use mod_rewrite to check for the cookie and rewrite to an error page if it isn't present? |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Thu 31 Jan '08 16:08 Post subject: |
|
|
FYI...this may not be totally reliable, but this is what I have in place on my test system.
| Code: | Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https://srv1\.imydomain\.com(/.*)?$ [NC]
RewriteRule \.(gif|exe|pdf)$ https://srv1\.imydomain\.com/notlinked\.html [NC,R,L] |
This is put in my vhost section on a server in different sub domain. Seems to work well for what little testing I've done so far. |
|
| Back to top |
|
epohcj
Joined: 06 Feb 2008
Posts: 5
|
| Posted: Wed 06 Feb '08 20:26 Post subject: |
|
|
| brewdude wrote: | FYI...this may not be totally reliable, but this is what I have in place on my test system.
| Code: | Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https://srv1\.imydomain\.com(/.*)?$ [NC]
RewriteRule \.(gif|exe|pdf)$ https://srv1\.imydomain\.com/notlinked\.html [NC,R,L] |
This is put in my vhost section on a server in different sub domain. Seems to work well for what little testing I've done so far. |
what if i want the referral link to be http://domain.com/dir/file.htm
how would i rewrite RewriteCond %{HTTP_REFERER} !^https://srv1\.imydomain\.com(/.*)?$ |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Wed 06 Feb '08 20:34 Post subject: |
|
|
just a guess but I think it would be
| Code: | | RewriteCond %{HTTP_REFERER} !^http://domain\.com/dir/file.htm?$ |
|
|
| Back to top |
|
epohcj
Joined: 06 Feb 2008
Posts: 5
|
| Posted: Wed 06 Feb '08 20:43 Post subject: |
|
|
| it didn't work, though i've also to escape the . in .html like this \.html but it didn't work. any other suggestion or guess? |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Wed 06 Feb '08 20:53 Post subject: |
|
|
Ah...forgot the last ".". How about
| Code: | | RewriteCond %{HTTP_REFERER} !^http://domain\.com/dir/file(.*)?$ [NC] |
|
|
| Back to top |
|
epohcj
Joined: 06 Feb 2008
Posts: 5
|
| Posted: Thu 07 Feb '08 1:04 Post subject: |
|
|
| this one is not working either |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Thu 07 Feb '08 1:23 Post subject: |
|
|
I would add this after your rewrite statements and see if there is anything in the log that's apparent.
| Code: | RewriteLog logs/rewrite.log
RewriteLogLevel 9 |
|
|
| Back to top |
|
epohcj
Joined: 06 Feb 2008
Posts: 5
|
| Posted: Thu 07 Feb '08 5:26 Post subject: |
|
|
| ok, i will do that |
|
| Back to top |
|
epohcj
Joined: 06 Feb 2008
Posts: 5
|
| Posted: Thu 07 Feb '08 7:48 Post subject: |
|
|
| it gives me the following error "RewriteLog not allowed here" |
|
| Back to top |
|
brewdude
Joined: 18 Jan 2008
Posts: 12
|
| Posted: Wed 13 Feb '08 17:26 Post subject: |
|
|
| If you use my example for an ".htm" file you need to add it to the file extensions listed in the rewrite rule. The rule will pass any file extensions not implicitly defined. |
|
| Back to top |
|
