Apache Rule to verify referrer website

Hello, we want see if we can apply a rule in our apache which would detect which website the user is coming from to determine what type of access they have to the landing site. Based on if they come from a site we approve they would see secure items through a private key that we would like to use. If they are not coming from a site that we accept it would not use the private key.
DancingFighterGAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
Not sure about the Apache part, but in PHP you can check $_SERVER['HTTP_REFERER'] and you will mostly be OK.  This information is set by the client browser, so you need to be aware that it's quite hackable if the attacker uses cURL.

A more reasonable approach might be PHP client authentication.  This article explains it.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
I don't think having Apache check the referrer is a good idea because it would be checking everything including javascript, images, CSS, and anything else you may be serving up.  I suspect that even if you can do it, it would slow down your server a lot.  In addition, the Apache directions recommend strongly against doing lookups for exactly that reason.  It is very time and resource consuming.
0
arober11Commented:
Per the posts above it would be far cleaner to check the referer in the code, and set a cookie of two and ad some conditional logic to your landing page, but you could hack something together, with two copies of the page and a few rewrite rules e.g.

RewriteEngine On

# Redirect requests for the index.html to  /restrictedPage.html, if the request was referred from any one of a list of sites sites:
RewriteCond %{HTTP_REFERER}   ^http://(www\.)?(site1|site2|site2)\.com   [NC]
RewriteRule  index.html    /restrictedPage.html           [L]

# Only permit access to /restrictedPage.html if referred internally from the site, or from the list
RewriteCond %{HTTP_REFERER}   !^http://(www\.)?yoursite\.com   [NC]
RewriteCond %{HTTP_REFERER}   !^http://(www\.)?(site1|site2|site2)\.com   [NC]
RewriteRule restrictedPage.html  -          [F,L]

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.