Home : Linux : Servers : Apache :
Access
I've trimmed what was a multiple level category down to my examples of ways that you can control access to parts of a website. I'm currently doing most of this in my httpd.conf and only using .htaccess files in special situations. I haven't looked at the examples for a while, YMMV.
404 redirect
I re-did one of my sites without thinking about the 404's folks would get until Google came around again. Three weeks after the changes I ran across one of my pages in the search results. I was surprised to get a worthless 404 message. My solution was to create a single line .htaccess in the sites root directory.
ErrorDocument 404 /
will redirect all 404 errors to the sites home page (root index.html).
...I'm working on making it more useful by redirecting to a custom script (ErrorDocument 404 /cgi-bin/foo.pl) that logs 404's ($ENV{'REDIRECT_URL'}), provides an explanation to the user and a form for the sites search engine. I've also started putting RedirectPermanent pointers in the appropriate VirtualHost block for directories/pages that I move
...Its about time to redo and move the 404 discussion. I've also moved the ErrorDocument line into the appropriate VirtualHost block and started working on seeing if I can get rid of all .htaccess usage (per my note in Access Control).
[ comment | link | top ]
ErrorDocument 404 /
will redirect all 404 errors to the sites home page (root index.html).
...I'm working on making it more useful by redirecting to a custom script (ErrorDocument 404 /cgi-bin/foo.pl) that logs 404's ($ENV{'REDIRECT_URL'}), provides an explanation to the user and a form for the sites search engine. I've also started putting RedirectPermanent pointers in the appropriate VirtualHost block for directories/pages that I move
...Its about time to redo and move the 404 discussion. I've also moved the ErrorDocument line into the appropriate VirtualHost block and started working on seeing if I can get rid of all .htaccess usage (per my note in Access Control).
[ comment | link | top ]
A do all access restriction example
Allows local and/or remote access by IP address/domain or name/password.
AuthName "restricted stuff"
AuthType Basic
AuthUserFile /Path_To/.htpasswd
order deny,allow
deny from all
allow from x.x.x.x
require valid-user
satisfy any
x.x.x.x can be any number of, full or partial, local or remote, IP addresses or domain names. If the user doesn't match the IP/domain they will need to enter a name/password.
[ comment | link | top ]
AuthName "restricted stuff"
AuthType Basic
AuthUserFile /Path_To/.htpasswd
order deny,allow
deny from all
allow from x.x.x.x
require valid-user
satisfy any
x.x.x.x can be any number of, full or partial, local or remote, IP addresses or domain names. If the user doesn't match the IP/domain they will need to enter a name/password.
[ comment | link | top ]
SetEnvIf - Allow calling file, not public
> Is it possible to use some sort of .htaccess file to allow the calling file
> (the one with the include call) to grab the include, while preventing
> public/search engine access to the directory that contains the
> included files?
One possibility is to use SetEnvIf. Use the following .htaccess in the directory you want to limit access to:
order deny,allow
deny from all
Allow from env=include
In httpd.conf include the following (I put it in the appropriate VirtualHost section)
SetEnvIf Request_URI "^/foo/bar/baz\.shtml$" include
The directory with the above .htaccess will only be accessible via http://www.domain.com/foo/bar/baz.shtml ('include' can be any name you want so long as its the same name in .htaccess and for SetEnvIf).
You probably want multiple pages to access the include dir so:
SetEnvIf Request_URI "^/foo/bar/(baz|another|more)\.shtml$" include
is one option,
SetEnvIf Request_URI "\.shtml$" include
would probably be more flexible, only your pages with a .shtml extension will be able to view files in your protected 'include' dir.
[ comment | link | top ]
> (the one with the include call) to grab the include, while preventing
> public/search engine access to the directory that contains the
> included files?
One possibility is to use SetEnvIf. Use the following .htaccess in the directory you want to limit access to:
order deny,allow
deny from all
Allow from env=include
In httpd.conf include the following (I put it in the appropriate VirtualHost section)
SetEnvIf Request_URI "^/foo/bar/baz\.shtml$" include
The directory with the above .htaccess will only be accessible via http://www.domain.com/foo/bar/baz.shtml ('include' can be any name you want so long as its the same name in .htaccess and for SetEnvIf).
You probably want multiple pages to access the include dir so:
SetEnvIf Request_URI "^/foo/bar/(baz|another|more)\.shtml$" include
is one option,
SetEnvIf Request_URI "\.shtml$" include
would probably be more flexible, only your pages with a .shtml extension will be able to view files in your protected 'include' dir.
[ comment | link | top ]
SetEnvIf - Limiting based on HTTP_REFERER
> Does anyone know of anyway to use Apache (via .htaccess) to only allow
> access to a directory if the HTTP_REFERER is okay?
> I know I can do this by using a CGI to check the HTTP_REFERER. And I know
> that the referer can be faked. But I am looking for an idea to do this
> with Apache. (I am reading the core docs.)
One solution is to use SetEnvIf. Use the following .htaccess in the directory you want to limit access to:
order deny,allow
deny from all
Allow from env=your_domain
In httpd.conf include the following (I put it in the appropriate VirtualHost section)
SetEnvIf Referer your_domain\.com your_domain
# we have to allow users/browsers that don't send Referer
SetEnvIf Referer "^$" your_domain
Only requests with a your_domain.com referer will be able to access any directory with the above .htaccess ('your_domain' can be any name you want so long as its the same name in .htaccess and for SetEnvIf). One useful application is to prevent other sites from using images on your site in their pages.
[ comment | link | top ]
> access to a directory if the HTTP_REFERER is okay?
> I know I can do this by using a CGI to check the HTTP_REFERER. And I know
> that the referer can be faked. But I am looking for an idea to do this
> with Apache. (I am reading the core docs.)
One solution is to use SetEnvIf. Use the following .htaccess in the directory you want to limit access to:
order deny,allow
deny from all
Allow from env=your_domain
In httpd.conf include the following (I put it in the appropriate VirtualHost section)
SetEnvIf Referer your_domain\.com your_domain
# we have to allow users/browsers that don't send Referer
SetEnvIf Referer "^$" your_domain
Only requests with a your_domain.com referer will be able to access any directory with the above .htaccess ('your_domain' can be any name you want so long as its the same name in .htaccess and for SetEnvIf). One useful application is to prevent other sites from using images on your site in their pages.
[ comment | link | top ]
Local users example
To limit directory access to local users all you need is something like:
order deny,allow
deny from all
allow from 127.0.0.1 192.168.0.
127.0.0.1 allows access from the computer the directory is on.
192.168.0. allows any computer in that network (192.168.0.n).
Any other computer will be denied access.
[ comment | link | top ]
order deny,allow
deny from all
allow from 127.0.0.1 192.168.0.
127.0.0.1 allows access from the computer the directory is on.
192.168.0. allows any computer in that network (192.168.0.n).
Any other computer will be denied access.
[ comment | link | top ]
rar example
The problem with rar's is the large number of possible extensions. I've had no luck with the mime magic file so for now I keep a special rar directory with the following .htaccess
ForceType application/x-rar-compressed
DefaultIcon /icons/rar.gif
which means that all files in that directory will be treated as rars and the fancy indexing will use the rar.gif instead of unknown.gif. You will need to add a rar.gif to your /icons directory.
[ comment | link | top ]
ForceType application/x-rar-compressed
DefaultIcon /icons/rar.gif
which means that all files in that directory will be treated as rars and the fancy indexing will use the rar.gif instead of unknown.gif. You will need to add a rar.gif to your /icons directory.
[ comment | link | top ]