[users@httpd] Restricting page access

[Richard Crawford <rc...@unexmail.ucdavis.edu>]

I'm still working on the problem of delivering those huge PDF files.  In 
the meantime, I was also asked to prevent those files from being 
displayed unless the link to them was clicked on; in other words, I want 
to prevent users from being able to display a file by typing the URL 
directly into their browser.  Normally I'd use basic authentication in 
an .htaccess file, but in this setting that is inappropriate.  I tried 
adapting the solution from the _Apache Cookbook_ that prevents linking 
of local images by remote sites, but that didn't seem to do the trick.

Here is the .htaccess file that I created:

<FilesMatch "\.pdf$">
SetEnvNoCase Referer "^http://outsite.edu" local_referer=1
Order Deny,Allow
Allow from env=local_referer
</FilesMatch>

This doesn't prevent a pdf file from being delivered if the user types 
in the URL directly.



-- 
Richard S. Crawford
Programmer III
UC Davis Extension Distance Education Group (http://unexdlc.ucdavis.edu)
2901 K Street, Suite 200C
Sacramento, CA  95816
(916)327-7793


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Restricting page access

[Richard Crawford <rc...@unexmail.ucdavis.edu>]

Noah wrote:
> On Wed, Mar 09, 2005 at 02:54:54PM -0800, Richard Crawford wrote:
> 
>>I tried adapting the solution from the _Apache Cookbook_ that prevents linking 
>>of local images by remote sites, but that didn't seem to do the trick.
>>
>>Here is the .htaccess file that I created:
>>
>><FilesMatch "\.pdf$">
>>SetEnvNoCase Referer "^http://outsite.edu" local_referer=1
>>Order Deny,Allow
>>Allow from env=local_referer
>></FilesMatch>
> 
> 
> You don't specify a Deny directive here:
> 
> <FilesMatch "\.pdf$">
> SetEnvNoCase Referer "^http://outsite.edu" local_referer=1
> Order deny,allow
> Deny from all
> Allow from env=local_referer
> </FilesMatch>

Thanks for the tip.

It's still not working, but I think I know why; it has to do with the 
JRun configuration, and not Apache.

-- 
Richard S. Crawford
Programmer III
UC Davis Extension Distance Education Group (http://unexdlc.ucdavis.edu)
2901 K Street, Suite 200C
Sacramento, CA  95816
(916)327-7793


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Restricting page access

[Noah <si...@onastick.net>]

On Wed, Mar 09, 2005 at 02:54:54PM -0800, Richard Crawford wrote:
> I tried adapting the solution from the _Apache Cookbook_ that prevents linking 
> of local images by remote sites, but that didn't seem to do the trick.
> 
> Here is the .htaccess file that I created:
> 
> <FilesMatch "\.pdf$">
> SetEnvNoCase Referer "^http://outsite.edu" local_referer=1
> Order Deny,Allow
> Allow from env=local_referer
> </FilesMatch>

You don't specify a Deny directive here:

<FilesMatch "\.pdf$">
SetEnvNoCase Referer "^http://outsite.edu" local_referer=1
Order deny,allow
Deny from all
Allow from env=local_referer
</FilesMatch>

--n
-- 
<huey> dd of=/dev/fd0 if=/dev/flippy bs=1024
<huey> ^^^ Making Flippy Floppy


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org