Solved

protected my folder by referer w/ .htaccess but script can't access it

Posted on 2004-08-26
26
424 Views
Last Modified: 2010-05-18
I protected one of my folders by referers with .htaccess

here's my .htaccess file:
SetEnvIfNoCase referer "logitech.com" allowit

<Files *>
order deny,allow
deny from all
allow from env=allowit
</Files>

the problem is.. one of the scripts I use which resides on the server can't go into this directory to do it's work..
this script is web2printer at http://www.printer-friendly.com/ - the script makes it ultra easy to make printable pages.. is there a way to protect my folder by referers and still let this script do it's work?  Thanks!

PS. i've even tried putting the web2printer script within my protected folder to see if it works.. it still wouldn't work..
obviously the script can be accessed.. but the script can't access files w/in this protected folder..
0
Comment
Question by:andreni78
  • 14
  • 11
26 Comments
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
modify the .htaccess file to make it looks like:

<Limit GET>
     order deny,allow
     deny from all
     allow from logitech.com
</Limit>
0
 

Author Comment

by:andreni78
Comment Utility
hmmm now i can't even access my folder with a refered link from the same domain...
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Is "logitech.com" your domain name, if not you need to do soemthing like:

<Limit GET>
     order deny,allow
     deny from all
     allow from yourdomain
     aloow from 10.5.
     allow from logitech.com
 </Limit>


0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
I think it is better to add POST:

<Limit GET POST>
     order deny,allow
     deny from all
     allow from yourdomain
     aloow from 10.5.
     allow from logitech.com
 </Limit>

also see
   http:Q_21098632.html
0
 

Author Comment

by:andreni78
Comment Utility
hm i get 403 error when i tried accessing my folder with that .htaccess from a referred link from my site...
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Is your PC's IP in the IP range of yourdomain? also if you need to run script inside the
dir, you need to add:
Options ExecCGI


If you are not sure what IP range you are using, do:

AuthUserFile /path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Stuff"
AuthType "Basic"
Options ExecCGI  
<Limit GET POST>
    require valid-user
</Limit>




0
 

Author Comment

by:andreni78
Comment Utility
hmm i don't have my folder password protected..
but i added the "Options ExecCGI" in .htaccess and it still wouldn't work...

with all the above solutions i can't even access index.html in my protected folder to begin with.. this is a lot more difficult than i thought...
0
 

Author Comment

by:andreni78
Comment Utility
looks like.. there's no solution this problem?
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Hi andreni78
   Sorry about the late reply, it was our weekend.

   A couple questons for you, can you accees to the dir when there is NO .htaccess file?
is the dir located out side your document root (not under your document root tree)?
Is your PC's IP in the IP range of yourdomain?

   Which version of Operating system are you running?
0
 

Author Comment

by:andreni78
Comment Utility
the dir is just like any web dir.. I or anyone can access it w/o .htaccess file
but i needed to protect the dir by referer.. hence my htaccess file contains

SetEnvIfNoCase referer "mysite.com" allowit

<Files *>
order deny,allow
deny from all
allow from env=allowit
</Files>

I can still access the dir fine except for the www.printer-friendly.com script i use.. ONLY the script can't access the file.. i tried placing the script within the protected dir but it still wouldn't work

points increased.. more difficult problem than i thought..

probably the best idea is to try the script out and see for yourself...
0
 

Author Comment

by:andreni78
Comment Utility
my PC isn't in the IP range of my domain.. and i'm running linux on apache 1.3
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Modify your httpd.conf to allow CGI script execution for the dir, eg:

<Directory /path-to/yourdir>
    Options +ExecCGI
</Directory>

You also need to to tell the server what files are CGI files, eg:
AddHandler cgi-script .cgi .pl

eg:

<Directory /path-to/yourdir>
    Options +ExecCGI
    AddHandler cgi-script .cgi .pl
</Directory>





0
 

Author Comment

by:andreni78
Comment Utility
hmm but the script is in php?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:andreni78
Comment Utility
i don't have access to httpd.conf with my host unfortunately...
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
If you server have install php correctly, you should be able to run the php script.

put the php script under yourdir.

and write down the IP of your PC, eg 10.5.6.123

make your .htaccess file looks like:

<Limit GET POST>
     order deny,allow
     deny from all
     allow from yourdomain
     alow from 10.5.
     allow from logitech.com
 </Limit>

and then

try to run the php script from your web broswer
http://www.yourdomain.com/path-to/yourphpscript.php

see if it work.

It is easy to be able to acess to your httpd.conf file
0
 

Author Comment

by:andreni78
Comment Utility
i don't want to protect the dir from specific IPs.. i only want to protect the dir by referrals only.. (content in my protected dir isn't that top secret/sensitive)

the above solution still doesn't work.. the script doesn't need to be installed. .it's a single file script that makes the page printer-friendly..
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
"the script doesn't need to be installed?"

Are you trying to run the php script from  www.printer-friendly.com to your web dir.
It is a security risk to allow remote script to run on your web server, and 99.9999%
of the system adm would not allow it to happen!
0
 

Author Comment

by:andreni78
Comment Utility
nope.. i have their script on my server and in the same protected folder.. it's a simple php file.. i just need to parse my page so it's printer-friendly.. and this script can't access my referer-protected page..

1. the script is in the same folder as the referer-protected-page
2. it can't access the referer-protected page even though it's in the same folder

so that's my problem
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
If you don't want to let people view the dir, but let them run the php script, then
don't use the .htaccess file.

You can create a index.html or index.php file and put it in the dir (use as a front page
of the dir) and then run your php script from the index.html or index.php file.
0
 

Author Comment

by:andreni78
Comment Utility
i definitely want people who i've given rights to .. to view the dir.. this dir is only referred by a log-in protected page.. so my client logs in.. i have a link for their report.. so when they click on the report dir.. they can see the report.. i have an option where they can view the printer-friendly page of the report using the printer-friendly.com script.. the script can't access the file.. i guess there's no solution to this prob..
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
"i definitely want people who i've given rights to .. to view the dir.. "

If it is controlled by a login, then, you don't need:
"
    order deny,allow
     deny from all
     allow from yourdomain
     alow from 10.5.
     allow from logitech.com
"
after the user login, they can view and print the report, but you said you do not want to
use password login!

0
 

Author Comment

by:andreni78
Comment Utility
because my login is already password protected.. i don't need to use it again with htaccess
0
 
LVL 38

Accepted Solution

by:
yuzh earned 500 total points
Comment Utility
>>because my login is already password protected..

so you don't need to have the .htaccess file.
0
 

Author Comment

by:andreni78
Comment Utility
i don't want to dig into any other technicalities because it's not relevant - and i don't want to explain why it's not... all i want is

- printer-firendly.com script to work on a folder that's referer only protected.

the dir must be referer-protected and the script has to work within this dir..

nothing else matters.. dont worry about it
0
 

Author Comment

by:andreni78
Comment Utility
FOR FUTURE READERS: ISSUE NOT RESOLVED
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
hi andreni78,

After reading the thread (and reread it), I got kinda lost.

So you are saying that the .htaccess code tha you use is not working.  Looking at the recommendation from yuzh, it should have been working.

However, looking at you original .htaccess, and comparing it to those on Apache website, you may want to add back-slash (\), before the dot ".", in your domain name.



http://httpd.apache.org/docs/misc/FAQ.html#image-theft

SetEnvIf REFERER "www\.mydomain\.com" linked_from_here
SetEnvIf REFERER "^$" linked_from_here

<Directory /www/images>
    Order deny,allow
    Deny from all
    Allow from env=linked_from_here
</Directory>

Some more information on how config sections are evaluated :
http://httpd.apache.org/docs-2.0/mod/core.html#files
http://httpd.apache.org/docs-2.0/mod/core.html#filesmatch
http://httpd.apache.org/docs-2.0/sections.html
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now