You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Robert Andersson <ro...@profundis.nu> on 2003/06/19 10:05:23 UTC
Re: [users@httpd] htaccess - web script access permissions
Martin Hudec wrote:
> please, can anyone point me how to set file access permissions using
> .htaccess?
>
> Here is situation I have:
>
> /web - directory with htmls etc
> /web/script - directory with one script
>
> I need to set that script in /web/script accessible only from localhost
(in
> browser I call flash which localy uses that script).
Apache needs to be configured to allow authorization directives in access
files in the directory.
<Directory /web/script>
AllowOverride ... Limit
...
</Directory>
In the .htaccess file, you have:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
But, you should put it directly in the httpd.conf if possible.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess - web script access permissions
Posted by Martin Hudec <co...@corwin.sk>.
On Thu June 19 2003 09:10, Robert Andersson wrote:
>
> Oh, now I see; I got it all wrong. I thought you were developing something
> with Flash, and only wanted it to execute when testing. Now, it's the other
> way around; you don't want to block outside access at all.
Exactly, I should have explain in whole that flash in my first mail.
> I'll take a guess that the 'flash' is perhaps a game of some sort, and the
> script is perhaps collecting hiscores, and you don't want anyone to fiddle
> with it. Something like that?
Yes, as you have said, only way is to make some encryption in parameter before
invoking (due to sniffers :().
Okay thanks for everything
--
Martin Hudec
----------------------------------
:@: corwin@corwin.sk
:w: http://www.corwin.sk
:m: +421.907.303.393
"In google non est, ergo non est."
- unknown IRC operator
----------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess - web script access permissions
Posted by Robert Andersson <ro...@profundis.nu>.
Martin Hudec wrote:
> Exactly. But requests show up in access log with different IPs. Flash is
part
> of competition on our website.
Oh, now I see; I got it all wrong. I thought you were developing something
with Flash, and only wanted it to execute when testing. Now, it's the other
way around; you don't want to block outside access at all.
I'll take a guess that the 'flash' is perhaps a game of some sort, and the
script is perhaps collecting hiscores, and you don't want anyone to fiddle
with it. Something like that?
Ok, you can't do this from Apache, because Apache cannot tell the legal
flash movie and the clever hacker apart. Anyone could use a sniffer to see
how flash is calling the scripts, the exact headers etc, and so can mimic
it. (Basic) Authentication doesn't really help here, nor any URL magic.
Perhaps wrapping it using SSL would help, but I have no idea if Flash can do
that.
If my guess is somewhat correct, you should apply some good
encryption/scrambling on the script's parameters before invoking it, then
have the script validate the parameters and if they are invalid, bail out.
This would be 'security by obscurity', which is usually not what you want,
but may be enough in this case.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess - web script access permissions
Posted by Martin Hudec <co...@corwin.sk>.
On Thu June 19 2003 08:47, Robert Andersson wrote:
>
> You have a script that you do not want anyone to execute except Flash, that
> is sitting on your machine, right? Does the legitimate requests from flash
> have different IPs? I'm not sure why that is so, but if you have several
> IPs you can add them up in the Allow directive, and/or you can allow one or
> more sub-nets.
Exactly. But requests show up in access log with different IPs. Flash is part
of competition on our website.
>
> If Flash supports providing credentials, you can add authorization on the
> directory. If not, you can do a silly thing such as pointing flash at the
> script like:
> http://yourhost/scripts/script?password=<something>
> and verify the password in the script.
Must tell my designer to look at it. That silly thing looks silly but I think
it will do the job. But first I will try to find out anything about flash
authorization.
> Another way, is to set up a virtual host on another port where you host the
> script. Then block outside access to this port with a firewall.
A way too, but again if I call something:88/script.pl from flash, again will I
see different IPs in log, so this is not an option :(.
Okay I am going to google out :). Thanks.
--
Martin Hudec
----------------------------------
:@: corwin@corwin.sk
:w: http://www.corwin.sk
:m: +421.907.303.393
"In google non est, ergo non est."
- unknown IRC operator
----------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess - web script access permissions
Posted by Robert Andersson <ro...@profundis.nu>.
Martin Hudec wrote:
> Okay, thank you for everything. Well looks like I have to find another
way.
> Scheme is:
> 1. browser (various IPs) calls flash
> 2. flash (still various IPs - here is reason why all of this can't work)
calls
> script
> 3. script is executed
You have a script that you do not want anyone to execute except Flash, that
is sitting on your machine, right? Does the legitimate requests from flash
have different IPs? I'm not sure why that is so, but if you have several IPs
you can add them up in the Allow directive, and/or you can allow one or more
sub-nets.
> Maybe just simple check of referer (if there my flash is shown up) will do
the
> job. I want to protect the script from being called by anything else than
my
> flash.
I don't know about the referer; it's not very reliable.
If Flash supports providing credentials, you can add authorization on the
directory. If not, you can do a silly thing such as pointing flash at the
script like:
http://yourhost/scripts/script?password=<something>
and verify the password in the script.
Another way, is to set up a virtual host on another port where you host the
script. Then block outside access to this port with a firewall.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess - web script access permissions
Posted by Martin Hudec <co...@corwin.sk>.
On Thu June 19 2003 08:24, Robert Andersson wrote:
>
> You may want to make a slight modification of the Allow directive, to be
> your specific IP rather than 127.0.0.1. See further info on that here:
>
> http://httpd.apache.org/docs-2.0/mod/mod_access.html#allow
>
Okay, thank you for everything. Well looks like I have to find another way.
Scheme is:
1. browser (various IPs) calls flash
2. flash (still various IPs - here is reason why all of this can't work) calls
script
3. script is executed
Maybe just simple check of referer (if there my flash is shown up) will do the
job. I want to protect the script from being called by anything else than my
flash.
Thank you again.
--
Martin Hudec
----------------------------------
:@: corwin@corwin.sk
:w: http://www.corwin.sk
:m: +421.907.303.393
"In google non est, ergo non est."
- unknown IRC operator
----------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess - web script access permissions
Posted by Robert Andersson <ro...@profundis.nu>.
Martin Hudec wrote:
> Okay I added Order, deny, allow lines to <Directory> (not in .htaccess),
> problem is that now i do block whole flash away from accessing protected
> script. In web error log I have:
>
> [Thu Jun 19 10:09:12 2003] [error] [client xxx.xxx.xxx.xxx] client denied
by
> server configuration: /www/site/adsl/adsl.pl
You may want to make a slight modification of the Allow directive, to be
your specific IP rather than 127.0.0.1. See further info on that here:
http://httpd.apache.org/docs-2.0/mod/mod_access.html#allow
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess - web script access permissions
Posted by Martin Hudec <co...@corwin.sk>.
On Thu June 19 2003 08:05, Robert Andersson wrote:
>
> In the .htaccess file, you have:
>
> Order Deny,Allow
> Deny from all
> Allow from 127.0.0.1
>
> But, you should put it directly in the httpd.conf if possible.
>
>
> Regards,
> Robert Andersson
>
Okay I added Order, deny, allow lines to <Directory> (not in .htaccess),
problem is that now i do block whole flash away from accessing protected
script. In web error log I have:
[Thu Jun 19 10:09:12 2003] [error] [client xxx.xxx.xxx.xxx] client denied by
server configuration: /www/site/adsl/adsl.pl
:(
--
Martin Hudec
----------------------------------
:@: corwin@corwin.sk
:w: http://www.corwin.sk
:m: +421.907.303.393
"In google non est, ergo non est."
- unknown IRC operator
----------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org