Solved

protected my folder by referer w/ .htaccess but script can't access it

Posted on 2004-08-26
26
430 Views
Last Modified: 2010-05-18
I protected one of my folders by referers with .htaccess

here's my .htaccess file:
SetEnvIfNoCase referer "logitech.com" allowit

<Files *>
order deny,allow
deny from all
allow from env=allowit
</Files>

the problem is.. one of the scripts I use which resides on the server can't go into this directory to do it's work..
this script is web2printer at http://www.printer-friendly.com/ - the script makes it ultra easy to make printable pages.. is there a way to protect my folder by referers and still let this script do it's work?  Thanks!

PS. i've even tried putting the web2printer script within my protected folder to see if it works.. it still wouldn't work..
obviously the script can be accessed.. but the script can't access files w/in this protected folder..
0
Comment
Question by:andreni78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
26 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 11909713
modify the .htaccess file to make it looks like:

<Limit GET>
     order deny,allow
     deny from all
     allow from logitech.com
</Limit>
0
 

Author Comment

by:andreni78
ID: 11910042
hmmm now i can't even access my folder with a refered link from the same domain...
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11910100
Is "logitech.com" your domain name, if not you need to do soemthing like:

<Limit GET>
     order deny,allow
     deny from all
     allow from yourdomain
     aloow from 10.5.
     allow from logitech.com
 </Limit>


0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 38

Expert Comment

by:yuzh
ID: 11910120
I think it is better to add POST:

<Limit GET POST>
     order deny,allow
     deny from all
     allow from yourdomain
     aloow from 10.5.
     allow from logitech.com
 </Limit>

also see
   http:Q_21098632.html
0
 

Author Comment

by:andreni78
ID: 11910785
hm i get 403 error when i tried accessing my folder with that .htaccess from a referred link from my site...
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11910943
Is your PC's IP in the IP range of yourdomain? also if you need to run script inside the
dir, you need to add:
Options ExecCGI


If you are not sure what IP range you are using, do:

AuthUserFile /path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Stuff"
AuthType "Basic"
Options ExecCGI  
<Limit GET POST>
    require valid-user
</Limit>




0
 

Author Comment

by:andreni78
ID: 11917641
hmm i don't have my folder password protected..
but i added the "Options ExecCGI" in .htaccess and it still wouldn't work...

with all the above solutions i can't even access index.html in my protected folder to begin with.. this is a lot more difficult than i thought...
0
 

Author Comment

by:andreni78
ID: 11924796
looks like.. there's no solution this problem?
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11928099
Hi andreni78
   Sorry about the late reply, it was our weekend.

   A couple questons for you, can you accees to the dir when there is NO .htaccess file?
is the dir located out side your document root (not under your document root tree)?
Is your PC's IP in the IP range of yourdomain?

   Which version of Operating system are you running?
0
 

Author Comment

by:andreni78
ID: 11928945
the dir is just like any web dir.. I or anyone can access it w/o .htaccess file
but i needed to protect the dir by referer.. hence my htaccess file contains

SetEnvIfNoCase referer "mysite.com" allowit

<Files *>
order deny,allow
deny from all
allow from env=allowit
</Files>

I can still access the dir fine except for the www.printer-friendly.com script i use.. ONLY the script can't access the file.. i tried placing the script within the protected dir but it still wouldn't work

points increased.. more difficult problem than i thought..

probably the best idea is to try the script out and see for yourself...
0
 

Author Comment

by:andreni78
ID: 11928947
my PC isn't in the IP range of my domain.. and i'm running linux on apache 1.3
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11929041
Modify your httpd.conf to allow CGI script execution for the dir, eg:

<Directory /path-to/yourdir>
    Options +ExecCGI
</Directory>

You also need to to tell the server what files are CGI files, eg:
AddHandler cgi-script .cgi .pl

eg:

<Directory /path-to/yourdir>
    Options +ExecCGI
    AddHandler cgi-script .cgi .pl
</Directory>





0
 

Author Comment

by:andreni78
ID: 11929209
hmm but the script is in php?
0
 

Author Comment

by:andreni78
ID: 11929212
i don't have access to httpd.conf with my host unfortunately...
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11929457
If you server have install php correctly, you should be able to run the php script.

put the php script under yourdir.

and write down the IP of your PC, eg 10.5.6.123

make your .htaccess file looks like:

<Limit GET POST>
     order deny,allow
     deny from all
     allow from yourdomain
     alow from 10.5.
     allow from logitech.com
 </Limit>

and then

try to run the php script from your web broswer
http://www.yourdomain.com/path-to/yourphpscript.php

see if it work.

It is easy to be able to acess to your httpd.conf file
0
 

Author Comment

by:andreni78
ID: 11929622
i don't want to protect the dir from specific IPs.. i only want to protect the dir by referrals only.. (content in my protected dir isn't that top secret/sensitive)

the above solution still doesn't work.. the script doesn't need to be installed. .it's a single file script that makes the page printer-friendly..
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11937960
"the script doesn't need to be installed?"

Are you trying to run the php script from  www.printer-friendly.com to your web dir.
It is a security risk to allow remote script to run on your web server, and 99.9999%
of the system adm would not allow it to happen!
0
 

Author Comment

by:andreni78
ID: 11938588
nope.. i have their script on my server and in the same protected folder.. it's a simple php file.. i just need to parse my page so it's printer-friendly.. and this script can't access my referer-protected page..

1. the script is in the same folder as the referer-protected-page
2. it can't access the referer-protected page even though it's in the same folder

so that's my problem
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11938980
If you don't want to let people view the dir, but let them run the php script, then
don't use the .htaccess file.

You can create a index.html or index.php file and put it in the dir (use as a front page
of the dir) and then run your php script from the index.html or index.php file.
0
 

Author Comment

by:andreni78
ID: 11939165
i definitely want people who i've given rights to .. to view the dir.. this dir is only referred by a log-in protected page.. so my client logs in.. i have a link for their report.. so when they click on the report dir.. they can see the report.. i have an option where they can view the printer-friendly page of the report using the printer-friendly.com script.. the script can't access the file.. i guess there's no solution to this prob..
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11939847
"i definitely want people who i've given rights to .. to view the dir.. "

If it is controlled by a login, then, you don't need:
"
    order deny,allow
     deny from all
     allow from yourdomain
     alow from 10.5.
     allow from logitech.com
"
after the user login, they can view and print the report, but you said you do not want to
use password login!

0
 

Author Comment

by:andreni78
ID: 11947656
because my login is already password protected.. i don't need to use it again with htaccess
0
 
LVL 38

Accepted Solution

by:
yuzh earned 500 total points
ID: 11948323
>>because my login is already password protected..

so you don't need to have the .htaccess file.
0
 

Author Comment

by:andreni78
ID: 11948562
i don't want to dig into any other technicalities because it's not relevant - and i don't want to explain why it's not... all i want is

- printer-firendly.com script to work on a folder that's referer only protected.

the dir must be referer-protected and the script has to work within this dir..

nothing else matters.. dont worry about it
0
 

Author Comment

by:andreni78
ID: 11976522
FOR FUTURE READERS: ISSUE NOT RESOLVED
0
 
LVL 15

Expert Comment

by:samri
ID: 11988214
hi andreni78,

After reading the thread (and reread it), I got kinda lost.

So you are saying that the .htaccess code tha you use is not working.  Looking at the recommendation from yuzh, it should have been working.

However, looking at you original .htaccess, and comparing it to those on Apache website, you may want to add back-slash (\), before the dot ".", in your domain name.



http://httpd.apache.org/docs/misc/FAQ.html#image-theft

SetEnvIf REFERER "www\.mydomain\.com" linked_from_here
SetEnvIf REFERER "^$" linked_from_here

<Directory /www/images>
    Order deny,allow
    Deny from all
    Allow from env=linked_from_here
</Directory>

Some more information on how config sections are evaluated :
http://httpd.apache.org/docs-2.0/mod/core.html#files
http://httpd.apache.org/docs-2.0/mod/core.html#filesmatch
http://httpd.apache.org/docs-2.0/sections.html
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question