andreni78
asked on
protected my folder by referer w/ .htaccess but script can't access it
I protected one of my folders by referers with .htaccess
here's my .htaccess file:
SetEnvIfNoCase referer "logitech.com" allowit
<Files *>
order deny,allow
deny from all
allow from env=allowit
</Files>
the problem is.. one of the scripts I use which resides on the server can't go into this directory to do it's work..
this script is web2printer at http://www.printer-friendly.com/ - the script makes it ultra easy to make printable pages.. is there a way to protect my folder by referers and still let this script do it's work? Thanks!
PS. i've even tried putting the web2printer script within my protected folder to see if it works.. it still wouldn't work..
obviously the script can be accessed.. but the script can't access files w/in this protected folder..
here's my .htaccess file:
SetEnvIfNoCase referer "logitech.com" allowit
<Files *>
order deny,allow
deny from all
allow from env=allowit
</Files>
the problem is.. one of the scripts I use which resides on the server can't go into this directory to do it's work..
this script is web2printer at http://www.printer-friendly.com/ - the script makes it ultra easy to make printable pages.. is there a way to protect my folder by referers and still let this script do it's work? Thanks!
PS. i've even tried putting the web2printer script within my protected folder to see if it works.. it still wouldn't work..
obviously the script can be accessed.. but the script can't access files w/in this protected folder..
ASKER
hmmm now i can't even access my folder with a refered link from the same domain...
Is "logitech.com" your domain name, if not you need to do soemthing like:
<Limit GET>
order deny,allow
deny from all
allow from yourdomain
aloow from 10.5.
allow from logitech.com
</Limit>
<Limit GET>
order deny,allow
deny from all
allow from yourdomain
aloow from 10.5.
allow from logitech.com
</Limit>
I think it is better to add POST:
<Limit GET POST>
order deny,allow
deny from all
allow from yourdomain
aloow from 10.5.
allow from logitech.com
</Limit>
also see
http:Q_21098632.html
<Limit GET POST>
order deny,allow
deny from all
allow from yourdomain
aloow from 10.5.
allow from logitech.com
</Limit>
also see
http:Q_21098632.html
ASKER
hm i get 403 error when i tried accessing my folder with that .htaccess from a referred link from my site...
Is your PC's IP in the IP range of yourdomain? also if you need to run script inside the
dir, you need to add:
Options ExecCGI
If you are not sure what IP range you are using, do:
AuthUserFile /path/to/your/password/fil
AuthGroupFile /dev/null
AuthName "Restricted Stuff"
AuthType "Basic"
Options ExecCGI
<Limit GET POST>
require valid-user
</Limit>
dir, you need to add:
Options ExecCGI
If you are not sure what IP range you are using, do:
AuthUserFile /path/to/your/password/fil
AuthGroupFile /dev/null
AuthName "Restricted Stuff"
AuthType "Basic"
Options ExecCGI
<Limit GET POST>
require valid-user
</Limit>
ASKER
hmm i don't have my folder password protected..
but i added the "Options ExecCGI" in .htaccess and it still wouldn't work...
with all the above solutions i can't even access index.html in my protected folder to begin with.. this is a lot more difficult than i thought...
but i added the "Options ExecCGI" in .htaccess and it still wouldn't work...
with all the above solutions i can't even access index.html in my protected folder to begin with.. this is a lot more difficult than i thought...
ASKER
looks like.. there's no solution this problem?
Hi andreni78
Sorry about the late reply, it was our weekend.
A couple questons for you, can you accees to the dir when there is NO .htaccess file?
is the dir located out side your document root (not under your document root tree)?
Is your PC's IP in the IP range of yourdomain?
Which version of Operating system are you running?
Sorry about the late reply, it was our weekend.
A couple questons for you, can you accees to the dir when there is NO .htaccess file?
is the dir located out side your document root (not under your document root tree)?
Is your PC's IP in the IP range of yourdomain?
Which version of Operating system are you running?
ASKER
the dir is just like any web dir.. I or anyone can access it w/o .htaccess file
but i needed to protect the dir by referer.. hence my htaccess file contains
SetEnvIfNoCase referer "mysite.com" allowit
<Files *>
order deny,allow
deny from all
allow from env=allowit
</Files>
I can still access the dir fine except for the www.printer-friendly.com script i use.. ONLY the script can't access the file.. i tried placing the script within the protected dir but it still wouldn't work
points increased.. more difficult problem than i thought..
probably the best idea is to try the script out and see for yourself...
but i needed to protect the dir by referer.. hence my htaccess file contains
SetEnvIfNoCase referer "mysite.com" allowit
<Files *>
order deny,allow
deny from all
allow from env=allowit
</Files>
I can still access the dir fine except for the www.printer-friendly.com script i use.. ONLY the script can't access the file.. i tried placing the script within the protected dir but it still wouldn't work
points increased.. more difficult problem than i thought..
probably the best idea is to try the script out and see for yourself...
ASKER
my PC isn't in the IP range of my domain.. and i'm running linux on apache 1.3
Modify your httpd.conf to allow CGI script execution for the dir, eg:
<Directory /path-to/yourdir>
Options +ExecCGI
</Directory>
You also need to to tell the server what files are CGI files, eg:
AddHandler cgi-script .cgi .pl
eg:
<Directory /path-to/yourdir>
Options +ExecCGI
AddHandler cgi-script .cgi .pl
</Directory>
<Directory /path-to/yourdir>
Options +ExecCGI
</Directory>
You also need to to tell the server what files are CGI files, eg:
AddHandler cgi-script .cgi .pl
eg:
<Directory /path-to/yourdir>
Options +ExecCGI
AddHandler cgi-script .cgi .pl
</Directory>
ASKER
hmm but the script is in php?
ASKER
i don't have access to httpd.conf with my host unfortunately...
If you server have install php correctly, you should be able to run the php script.
put the php script under yourdir.
and write down the IP of your PC, eg 10.5.6.123
make your .htaccess file looks like:
<Limit GET POST>
order deny,allow
deny from all
allow from yourdomain
alow from 10.5.
allow from logitech.com
</Limit>
and then
try to run the php script from your web broswer
http://www.yourdomain.com/path-to/yourphpscript.php
see if it work.
It is easy to be able to acess to your httpd.conf file
put the php script under yourdir.
and write down the IP of your PC, eg 10.5.6.123
make your .htaccess file looks like:
<Limit GET POST>
order deny,allow
deny from all
allow from yourdomain
alow from 10.5.
allow from logitech.com
</Limit>
and then
try to run the php script from your web broswer
http://www.yourdomain.com/path-to/yourphpscript.php
see if it work.
It is easy to be able to acess to your httpd.conf file
ASKER
i don't want to protect the dir from specific IPs.. i only want to protect the dir by referrals only.. (content in my protected dir isn't that top secret/sensitive)
the above solution still doesn't work.. the script doesn't need to be installed. .it's a single file script that makes the page printer-friendly..
the above solution still doesn't work.. the script doesn't need to be installed. .it's a single file script that makes the page printer-friendly..
"the script doesn't need to be installed?"
Are you trying to run the php script from www.printer-friendly.com to your web dir.
It is a security risk to allow remote script to run on your web server, and 99.9999%
of the system adm would not allow it to happen!
Are you trying to run the php script from www.printer-friendly.com to your web dir.
It is a security risk to allow remote script to run on your web server, and 99.9999%
of the system adm would not allow it to happen!
ASKER
nope.. i have their script on my server and in the same protected folder.. it's a simple php file.. i just need to parse my page so it's printer-friendly.. and this script can't access my referer-protected page..
1. the script is in the same folder as the referer-protected-page
2. it can't access the referer-protected page even though it's in the same folder
so that's my problem
1. the script is in the same folder as the referer-protected-page
2. it can't access the referer-protected page even though it's in the same folder
so that's my problem
If you don't want to let people view the dir, but let them run the php script, then
don't use the .htaccess file.
You can create a index.html or index.php file and put it in the dir (use as a front page
of the dir) and then run your php script from the index.html or index.php file.
don't use the .htaccess file.
You can create a index.html or index.php file and put it in the dir (use as a front page
of the dir) and then run your php script from the index.html or index.php file.
ASKER
i definitely want people who i've given rights to .. to view the dir.. this dir is only referred by a log-in protected page.. so my client logs in.. i have a link for their report.. so when they click on the report dir.. they can see the report.. i have an option where they can view the printer-friendly page of the report using the printer-friendly.com script.. the script can't access the file.. i guess there's no solution to this prob..
"i definitely want people who i've given rights to .. to view the dir.. "
If it is controlled by a login, then, you don't need:
"
order deny,allow
deny from all
allow from yourdomain
alow from 10.5.
allow from logitech.com
"
after the user login, they can view and print the report, but you said you do not want to
use password login!
If it is controlled by a login, then, you don't need:
"
order deny,allow
deny from all
allow from yourdomain
alow from 10.5.
allow from logitech.com
"
after the user login, they can view and print the report, but you said you do not want to
use password login!
ASKER
because my login is already password protected.. i don't need to use it again with htaccess
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i don't want to dig into any other technicalities because it's not relevant - and i don't want to explain why it's not... all i want is
- printer-firendly.com script to work on a folder that's referer only protected.
the dir must be referer-protected and the script has to work within this dir..
nothing else matters.. dont worry about it
- printer-firendly.com script to work on a folder that's referer only protected.
the dir must be referer-protected and the script has to work within this dir..
nothing else matters.. dont worry about it
ASKER
FOR FUTURE READERS: ISSUE NOT RESOLVED
hi andreni78,
After reading the thread (and reread it), I got kinda lost.
So you are saying that the .htaccess code tha you use is not working. Looking at the recommendation from yuzh, it should have been working.
However, looking at you original .htaccess, and comparing it to those on Apache website, you may want to add back-slash (\), before the dot ".", in your domain name.
http://httpd.apache.org/docs/misc/FAQ.html#image-theft
SetEnvIf REFERER "www\.mydomain\.com" linked_from_here
SetEnvIf REFERER "^$" linked_from_here
<Directory /www/images>
Order deny,allow
Deny from all
Allow from env=linked_from_here
</Directory>
Some more information on how config sections are evaluated :
http://httpd.apache.org/docs-2.0/mod/core.html#files
http://httpd.apache.org/docs-2.0/mod/core.html#filesmatch
http://httpd.apache.org/docs-2.0/sections.html
After reading the thread (and reread it), I got kinda lost.
So you are saying that the .htaccess code tha you use is not working. Looking at the recommendation from yuzh, it should have been working.
However, looking at you original .htaccess, and comparing it to those on Apache website, you may want to add back-slash (\), before the dot ".", in your domain name.
http://httpd.apache.org/docs/misc/FAQ.html#image-theft
SetEnvIf REFERER "www\.mydomain\.com" linked_from_here
SetEnvIf REFERER "^$" linked_from_here
<Directory /www/images>
Order deny,allow
Deny from all
Allow from env=linked_from_here
</Directory>
Some more information on how config sections are evaluated :
http://httpd.apache.org/docs-2.0/mod/core.html#files
http://httpd.apache.org/docs-2.0/mod/core.html#filesmatch
http://httpd.apache.org/docs-2.0/sections.html
<Limit GET>
order deny,allow
deny from all
allow from logitech.com
</Limit>