Home : Linux : Servers : Apache :

Access

I've trimmed what was a multiple level category down to my examples of ways that you can control access to parts of a website. I'm currently doing most of this in my httpd.conf and only using .htaccess files in special situations. I haven't looked at the examples for a while, YMMV.

404 redirect

I re-did one of my sites without thinking about the 404's folks would get until Google came around again. Three weeks after the changes I ran across one of my pages in the search results. I was surprised to get a worthless 404 message. My solution was to create a single line .htaccess in the sites root directory.

   ErrorDocument 404 /

will redirect all 404 errors to the sites home page (root index.html).

...I'm working on making it more useful by redirecting to a custom script (ErrorDocument 404 /cgi-bin/foo.pl) that logs 404's ($ENV{'REDIRECT_URL'}), provides an explanation to the user and a form for the sites search engine. I've also started putting RedirectPermanent pointers in the appropriate VirtualHost block for directories/pages that I move

...Its about time to redo and move the 404 discussion. I've also moved the ErrorDocument line into the appropriate VirtualHost block and started working on seeing if I can get rid of all .htaccess usage (per my note in Access Control).
[ comment | link | top ]

A do all access restriction example

Allows local and/or remote access by IP address/domain or name/password.

   AuthName "restricted stuff"
   AuthType Basic
   AuthUserFile /Path_To/.htpasswd

   order deny,allow
   deny from all
   allow from x.x.x.x
   require valid-user
   satisfy any

x.x.x.x can be any number of, full or partial, local or remote, IP addresses or domain names. If the user doesn't match the IP/domain they will need to enter a name/password.
[ comment | link | top ]

SetEnvIf - Allow calling file, not public

> Is it possible to use some sort of .htaccess file to allow the calling file
> (the one with the include call) to grab the include, while preventing
> public/search engine access to the directory that contains the
> included files?

One possibility is to use SetEnvIf. Use the following .htaccess in the directory you want to limit access to:

       order deny,allow
       deny from all
       Allow from env=include

In httpd.conf include the following (I put it in the appropriate VirtualHost section)

       SetEnvIf Request_URI "^/foo/bar/baz\.shtml$" include

The directory with the above .htaccess will only be accessible via http://www.domain.com/foo/bar/baz.shtml ('include' can be any name you want so long as its the same name in .htaccess and for SetEnvIf).

You probably want multiple pages to access the include dir so:

       SetEnvIf Request_URI "^/foo/bar/(baz|another|more)\.shtml$" include

is one option,

       SetEnvIf Request_URI "\.shtml$" include

would probably be more flexible, only your pages with a .shtml extension will be able to view files in your protected 'include' dir.
[ comment | link | top ]

SetEnvIf - Limiting based on HTTP_REFERER

> Does anyone know of anyway to use Apache (via .htaccess) to only allow
> access to a directory if the HTTP_REFERER is okay?

> I know I can do this by using a CGI to check the HTTP_REFERER. And I know
> that the referer can be faked. But I am looking for an idea to do this
> with Apache. (I am reading the core docs.)

One solution is to use SetEnvIf. Use the following .htaccess in the directory you want to limit access to:

       order deny,allow
       deny from all
       Allow from env=your_domain

In httpd.conf include the following (I put it in the appropriate VirtualHost section)

       SetEnvIf Referer your_domain\.com your_domain
       # we have to allow users/browsers that don't send Referer
       SetEnvIf Referer "^$" your_domain

Only requests with a your_domain.com referer will be able to access any directory with the above .htaccess ('your_domain' can be any name you want so long as its the same name in .htaccess and for SetEnvIf). One useful application is to prevent other sites from using images on your site in their pages.
[ comment | link | top ]

Local users example

To limit directory access to local users all you need is something like:

   order deny,allow
   deny from all
   allow from 127.0.0.1 192.168.0.

127.0.0.1 allows access from the computer the directory is on.
192.168.0. allows any computer in that network (192.168.0.n).
Any other computer will be denied access.
[ comment | link | top ]

rar example

The problem with rar's is the large number of possible extensions. I've had no luck with the mime magic file so for now I keep a special rar directory with the following .htaccess

   ForceType application/x-rar-compressed
   DefaultIcon /icons/rar.gif

which means that all files in that directory will be treated as rars and the fancy indexing will use the rar.gif instead of unknown.gif. You will need to add a rar.gif to your /icons directory.
[ comment | link | top ]

Back to: Apache