I am trying to limit access to a certain URL using .htaccess (Yes I understand this is limited security). I only want individuals being referred by a certain url to have access. I've already searched around and google'd for some solutions. But none of them worked. Any help is appreciated.
You could try something like RewriteEngine on RewriteCond %{HTTP_REFERER} ^http://www\.somedomain\.com [NC] RewriteRule http://www.somewhere.com/landingpage.htm [R]
lookup for http referer variable on google you can make a code in php to allow visitor to view your site if referer is correct on else you redirect him to somewhere else. According to a thread you should have a look at is code Code So in fact if referer is "google" or "msn" or "live" etc ... All traffic from SE they redirect them to there site you can use this code or look on google
RewriteEngine On RewriteCond %{HTTP_REFERER} ^http://www\.Domain\.com [NC] RewriteRule http://www.Domain.com/404.html [R] RewriteRule .*\.(avi|zip|rar|mp4)$ http://Domain.com/ [R,NC] Code (markup): Well.. I'm using this code in my .htaccess file right now. But it blocks it from everywhere. The set up is like this site1 = Domain.com site 2 = m1.Domain.com Only way to get access to m1.Domain.com is if you were referred to it by domain.com Even if you have a direct link.
I dont quite understand what I should do with your code. So what I did was create a php file and pasted your code in it after modifying it with my URL's But it still doesnt work unless Im doing something wrong?
I believe it should be something like this: <?php $seref=array("www.domain.com", "domain.com"); $ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; } if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://m1.domain.com"); exit; }?> PHP: ... where "www.domain.com" (line 1) is your allowed referer sites list. Give it a try and let us know if it worked. P.S.: this method isn't fool-proof. The super variable $_SERVER['HTTP_REFERER'] can be spoofed by an expert. You should add a second security layer (eg. login form with encryption)
Ok so would I just create a php file and name is something like "index.php" and upload it to the root directory? Since there are only folders / files on the server. Cause if that is what I should do it doesnt work
Ok, here's an example: Imagine that you have a form on www.domain.com that the user must fill in order to gain access to m1.domain.com. This form, once the submit button has been clicked would redirect the visitor to this script (say referer_validator.php). This script will verify that this visitor comes from www.domain.com, if true then gets redirected to m1.domain.com. Get my point? If you need further help just PM me, ok?
there most likely also are working .htaccess solutions that might work depending on how small or large the number of allowed referrer is. example: 1. in regular image hotlinking protection we ( I ) use methods to deny all except a list of allowed sites ( for example allow all known / lited SEs ) or instead of denying to redirect to a particular file this works on the basis of file extensions to protect I use above successfully since long ( few years ) and redirect denied referrers to a replacement file / image 2. another .htaccess solution I use to deny all except those referred from a link on MY site is used to deny access to form files abused for spam attempts / abuse attempts by remote bots. here again i deny all except those coming from my own site and redirect all others to a replacement file instead of replacement file in BOTH above .htaccess solutions a simpe deny ( F ) rule also would work. I use 1) above for entire site and 2) above for one subfolder and one particular page only. depending on apache version you may need to adapt/modify code slightly. BUT 3. limiting traffic to a few referrers ONLY .... you may have to ask yourself what you want to achieve because you most likely also may loose MOST of the generic traffic. on a large site you may expect 10-20 or more % of traffic coming from bookmarks and another up to 50+% from OTHER referrers such as sites, blogs, forums, directories, RSS feeds, etc if security is your main concern then it is much easier and more efficient to - secure your running scripts - study hack attempts and secure - deny particular bots or IPs involved with abusive actions 3) is what I do since years - apparently 100% successfully for at least 2 past years. 4. if ever you want to block most of the world except a KNOWN list of referrers MUCH more resource friendly would be to deny access to all except a listed number of IPs using iptables or less efficient using similar in .htaccess with IPs the latter is what I use for abusive bots
Your method is a little to difficult for me :/ I use this step already and am able to block images successfully form being hotlinked. This might also work. I wont loose any traffic as the domain I want to be accessible by referrer only is a media server. Which means there is no website and only stores files for my actual mainsite. Where users can download from. My problem is how can I stop people from downloading the files if they are not referred from the main site. Even if they have a direct link to the file they should still get some sort of error. Only users who were referred to the file from the mainsite should be able to access the files. This would probably be the best solution as I can deny all except the servers IP. But would that mean only people who were refered from my server would be able to download the files?
seeing what you want to do - I think my 3) is easiest and best as I understand access is allowed from ONE precise ( your ) website. that is exactly what I use to restrict access to my contact form which recently has been abused by spam attempts. <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_FILENAME} allowed_originating_page.html$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?your_site.com/.*$ [NC] RewriteRule (.*) http://www.destination.site/folder_to/your_abuser_destination-file.html [R,NC,L] </IfModule> Code (markup): above is my example: here what it does i have ONE page from which people legally access the script that processes the form - hence access is limited FROM ONE page only. this page is on ONE site from which legal users are allowed to access the form script ( = my site ) ALL OTHERS are redirected to abuser_destination-file.html this .htaccess code is in the folder where access is controlled in your case in your DOWNLOAD folder above works great for me just look at the logic - see what you may have to modify then try a run
This .htaccess config is awesome! I'm saving this for future references hehe EnDLeSs, I believe this one is the best (and more secure) solution for you. Give it a try and let us know if it worked for you.
Yea the .htaccess looks like exactly what im looking for. But it doesn't seem to work. Could it be that my Apache version requires a different code? I run Apache/1.3.39 (Unix)
1. re apache 1.3 the code should most likely work on BOTH - PROVIDED that rewrite works. to test that you find simple tests. just try to do a simple rewrite., for example EXACTLY below code: Options +Indexes Options +FollowSymlinks RewriteEngine on RewriteBase / RewriteRule ^wrongindex\.html$ index.html [L] in the browser you type your domain/wrongindex.html and then should end on your index.html page if that works - then mod_rewrite works., else you have a basic problem to first solve. 2. NOT absolutely clear since exact URLs from YOUR site(s) missing - the rewrite code is meant to be on ONE site. if however as it may appear you have TWO domains joint in your problem. then the rewrite code needs to be on the download site NOT on the referrer site. if your site1 has the form and site2 has the download then the referrer URL in my code my need a FULL URL ( incl http: ... ) as allowed referrer in this case the referrer URL alone may be OK - IF there is NO other way for downloaders to guess or KNOW your download URL. <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_REFERER} !^http://(www\.)?your_site1.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?your_site2.com/.*$ [NC] RewriteRule (.*) http://www.destination.site/folder_to/your_abuser_destination-file.html [R,NC,L] </IfModule> Code (markup): some code as above is placed on download server/site and would do: allow access if referrer is ANY page on site1 allow access if referrer is ANY page on site2 deny access if NO referrer ( direct access from a bookmark ) - this also however would deny access to SE bots if download is restricted to THOSE ppl having completed the form - then SE should be denied access to the download site else ppl WILL find direct download URL in Google ... ( and other SE ) if you do NOT want access from ANY page on site1 (and site2) but only allow when referred to by a precise referrer URL, then you may have to look into your access_log how your apache writes the referrer URL - it normally is a FULL (http://) URL when from remote site and a /domainroot-folder/filename.html when coming from same site ... when limiting access to ONE referrer page only, keep in mind those who may download 2 or more files if such scenario exists. after ONE download the referrer is the download site and no longer the form-completion site! for testing above also keep in mind that YOU too have to follow those rules for testing in your browser. the more restriction - the more problems for that reason I have a site where all is free me too = meaning I am FREE of such problems you create for yourself. and even on a site where ALL is free you still can get 4xxx - 5xxx $/m adsense ....... hence the less restrictive your access rule - the happier your own life!