Is there a way to restrict access to a folder (using .htaccess or another method) such that all requests are blocked except those coming from a specific path on another domain?
I've tried something like this, but it's not working.
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !hosting_domain\.net [NC]
RewriteCond %{HTTP_REFERER} !referring_domain\.com/path/to/referrer [NC]
RewriteRule .? - [F]
Basically, I want to end up with a scenario where a user goes to a certain page, and then can only access restricted files from that page.
More details...
The .htaccess file is one level higher than the folder that the "protected" files are in.
There are no other .htaccess files.
Direct access is currently being allowed by browsing to the file directly.
The only other non-commented out code in the file is the following.
AddHandler application/x-httpd-php70 .php
<IfModule mod_suphp.c>
suPHP_ConfigPath /opt/php70/lib
</IfModule>
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !hosting_domain\.net [NC]
RewriteCond %{HTTP_REFERER} !referring_domain\.com/path/to/referrer [NC]
RewriteRule .? - [F]
I only want the files available via the referring link I specify. No browsing to them
If you don't want to allow "direct access" then you need to remove the first RewriteCond directive that checks that the Referer is not empty. On direct requests the Referer is empty.
And if you only want the resource being accessed by the referring domain then you should remove the 2nd condition also.
You can also be more specific with the referring domain and include the full absolute URL. In other words:
RewriteCond %{HTTP_REFERER} !^https://referring_domain\.com/path/to/referrer$
RewriteRule .? - [F]
I've also removed the NC flag - the Referer should be the "exact" URL - correct case. (If it is set at all.)
Related
This is driving me crazy. Basically, I want to redirect the following:
http://subdomain.mysite.com/ (with or without trailing slash)
to (exactly)
http://subdomain.mysite.com/subdomain/
This currently gives me an endless loop
RewriteCond %{HTTP_HOST} ^subdomain\.mysite\.com$ [NC]
RewriteRule ^(.*)$ subdomain/$1 [R=301]
But whatever rule I try, it always ends up in a loop because the target still matches the redirect criteria. Some help would be appreciated.
You need to add a condition to break the endless loop.
Note that this loop will only arise if you really want to keep the host name unaltered, so rewrite inside the same host, but still do an external redirect as you suggest. This is somewhat surprising, but certainly possible:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^subdomain\.example\.com$ [NC]
RewriteCond %{REQUEST_URI} ^/subdomain/ [NC]
RewriteRule ^(.*)$ subdomain/$1 [L,R=301,QSA]
This implements an external redirection, the additional condition is required to prevent the redirection loop:
https://subdomain.example.com/foo > https://subdomain.example.com/subdomain/foo
The same loop does not arise if you rewrite to another host name:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^subdomain\.example\.com$ [NC]
RewriteRule ^(.*)$ https://www.example.com/subdomain/$1 [L,R=301,QSA]
This implements an external redirection, no additional condition is required, since the existing one already prevents the redirection loop:
https://subdomain.example.com/foo > https://www.example.com/subdomain/foo
A more often seen approach is to only rewrite internally, so without actually changing the URL visible in the browser:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^subdomain\.example\.com$ [NC]
RewriteCond %{REQUEST_URI} ^/subdomain/ [NC]
RewriteRule ^(.*)$ subdomain/$1 [L,QSA]
This implements an internal redirection, so the visible URL in the client stays unchanged:
https://subdomain.example.com/foo > /subdomain/foo
Doesn't seem to work at all. I know its a bit strange but its for legacy reasons. The whole server mysite.com is old and just for archive purpose - and requires authorization to access. Except the /subdomain folder which still needs to be accessible.
mysite.com and subdomain.mysite.com point to the same home directory (historical reasons..)
With this setup http://subdomain.mysite.com/subdomain/ works perfectly fine ... but someone here really wants http://subdomain.mysite.com/ to work as well
This is my current htaccess
<FilesMatch "index.php">
AuthName "Protected Area"
AuthType Basic
AuthUserFile /home/www/.htpasswd
require valid-user
</FilesMatch>
#PIE.htc
AddType text/x-component .htc
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_HOST} ^subdomain\.mysite\.com$ [NC]
RewriteCond %{REQUEST_URI} ^/subdomain/ [NC]
RewriteRule ^(.*)$ subdomain/$1 [L,R=301,QSA]
#more rules here
And inside the /subdomain folder I simply say
Satisfy Any
Allright ... I got it to work with an external redirect with www.!
RewriteCond %{HTTP_HOST} ^subdomain\.mysite\.com$ [NC]
RewriteRule ^(.*)$ http://www.subdomain.mysite.com/subdomain/$1 [L,R=301,QSA]
Problem with this is, http://subdomain.mysite.com/subdomain/ now redirects to http://www.subdomain.mysite.com/subdomain/subdomain/ - so I setup a php redirect in the subdomain/subdomain/ folder ...
it seems messy but the site is visible when you open subdomain.mysite.com :)
Basically I do not want people that visit my site to get all of the files, but all the things I tried and found on the internet disallow the usage of GET variables after the index.php. I'm using a rewrite to make domain.com/lol go to index.php?lol.
This is my current .htaccess file, if you'd like to modify it to make it easier for me, go ahead too.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.domain\.com [NC]
RewriteRule .? http://domain.com%{REQUEST_URI} [L,R=301]
RewriteRule ^act/(.*)$ index.php?act=$1
RewriteRule ^code/(.*)$ index.php?code=$1
RewriteRule ^login$ index.php?login
RewriteRule ^logout$ index.php?logout
RewriteRule ^add$ index.php?add
RewriteRule ^tac$ index.php?tac
RewriteRule ^profile$ index.php?profile
Following rule stops direct requests to index.php (either with or without) arguments:
# block direct requests to index.php and redirect it to /
RewriteCond %{ENV:REDIRECT_STATUS} =""
RewriteRule ^index.php$ /
If needed, you can change the rewrite target and/or add some more conditions based on what exactly is allowed and what's not.
I have the following on my .htaccess file:
Options +FollowSymlinks
#+FollowSymLinks must be enabled for any rules to work, this is a security
#requirement of the rewrite engine. Normally it's enabled in the root and we
#shouldn't have to add it, but it doesn't hurt to do so.
RewriteEngine on
#Apache scans all incoming URL requests, checks for matches in our #.htaccess file
#and rewrites those matching URLs to whatever we specify.
#allow blank referrers.
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?site.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?site.dev [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?dev.site.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule . index.php
site.com is the production site.
site.dev is a localhost dev environment.
dev.site.com is a subdomain where we test live.
I'm aware that this will avoid the site to be indexed:
Header set X-Robots-Tag "noindex, nofollow"
cf. http://yoast.com/prevent-site-being-indexed/
My question is however, fairly simple perhaps:
Is there a way to apply this line ONLY on dev.site.com, so that it doesn't get indexed ?
Is there a way to apply this line ONLY on dev.site.com, so that it doesn't get indexed ?
Yes, you need to put the Header line in the vhost config for dev.site.com. There's no way you can make a host check tied to a Header set directive from within an htaccess file.
The other possibility is if you want to block bots via useragent, you can remove the Header set and add some rules:
# request is for http://dev.site.com
RewriteCond %{HTTP_HOST} ^dev.site.com$ [NC]
# user-agent is a search engine bot
RewriteCond %{HTTP_USER_AGENT} (Googlebot|yahoo|msnbot) [NC]
# return forbidden
RewriteRule ^ - [L,F]
Note that the list of user agents isn't complete. You can try to go through the massive list of User-Agents and look for all of the index robots, or at least the more popular ones.
Is it possible to accept traffic from only one domain, ideally using a .htaccess file?
I want my site to only be accessible via a link on another site I have.
I know how to block one referring domain, but not all domains
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomain\.com [NC]
RewriteRule .* - [F]
this is my full rewrite code:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !domain\.co.uk [NC]
RewriteRule .? - [F]
# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
I think it is working, but none of the assets are getting loaded and I get a 500 error when I click on another link.
Make that something like:
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !yourdomain\.com [NC]
RewriteCond %{HTTP_REFERER} !alloweddomain\.com [NC]
RewriteRule .? - [F]
The first RewriteCond checks that the referrer is not empty. The second checks that it doesn't contain the string yourdomain.com, and the third that it doesn't contain the string alloweddomain.com. If all of these checks pass, the RewriteRule triggers and denies the request.
(Allowing empty referrers is generally a good idea, since browsers can generate them for various reasons, such as when:
the user has bookmarked the link,
the user entered the link manually into the address bar,
the user reloaded the page,
the browser is configured not to send cross-site referrer infromation, or
a proxy between your site and the browser strips away the referrer information.)
I've tried to set up a htaccess redirect for everyone except me. It works fine...except that I have to write an exception for every file that the under construction page wants. This will take me a while and I'm certain there is a proper way to do it, I just cant find it.
I have tried this:
order deny,allow
deny from all
allow from 205.97.194.334
ErrorDocument 403 http://www.domain.com/page.htm
<Files page.htm>
allow from all
</Files>
But I get an internal server error
What I have now is this:
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^127\.0\.0\.1
RewriteCond %{REQUEST_URI} !/mypage\.html$
RewriteRule .* http://www.domain.com/construct/mypage.html [R=302,L]
What can I add in this to allow everything in the /construct/ ?#
Thankyou
P.S. Can anyone tell me why the first attempt didn't work?
EDIT:
Ok I've added this, which allowed the files, however, it is only redirecting when the directory is entered. I.e. domain.com will redirect to the construction page, but domain.com/index.php and anything else will not redirect
# Redirect everyone who's not from your IP
RewriteCond %{REMOTE_ADDR} !00.00.00.00 [NC]
# Allow real files to be served
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule !index.html$ http://subverb.net/construct/index.html [R=307,L]
If you want /construct to be available to everyone else, and you want them to be redirected to that URL when opening any other URL:
# IF not from your address
RewriteCond %{REMOTE_ADDR} !^123\.4\.5\.6$
# AND not for /construct directory
RewriteCond %{REQUEST_URI} !^/construct
# THEN sen them to /construct/index.html
RewriteRule (.*) /construct/index.html [R=307,L]