You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rondon <dj...@gmail.com> on 2017/09/14 22:27:36 UTC
[users@httpd] .htaccess
Hi Folks,
Sorry to bother you.
My website is using apache at Dreamhost.
I'm authenticating using a require valid-user at .htaccess
But I need to add more directives to authenticate the access by Referer.
If the user comes from a specific referer, the user doesn't have to receive
the authentication box and bypass the authentication.
Is that possible?
My .htaccess file is:
AuthName "My Security Area"
AuthType Basic
AuthUserFile /myusersfilepath/
require valid-user
ErrorDocument 401 /error.html
I'd like to add authentication by Referer
if Referer or host domain.the extension then there is no need for
authentication
the user goes in with the authentication box.
Can you help with that?
Thanks in advance and waiting for your response
Cheers,
--DjRondon
---------------------------------------------------------------------------------------------
Your life is shaped by your mind and you become what you think.
Dhampada - Twin Verses.
Re: [users@httpd] .htaccess
Posted by Rondon <dj...@gmail.com>.
Hi Yann,
But I need to have both working..
By Referer bypass the user authentication
if Referer is different it needs the user authentication.
Cheers,
Rondon
---------------------------------------------------------------------------------------------
Your life is shaped by your mind and you become what you think.
Dhampada - Twin Verses.
2017-09-16 14:46 GMT-03:00 Yann Ylavic <yl...@gmail.com>:
> Hi Rondon,
>
> On Fri, Sep 15, 2017 at 12:27 AM, Rondon <dj...@gmail.com> wrote:
> > Hi Folks,
> >
> > Sorry to bother you.
> > My website is using apache at Dreamhost.
> >
> > I'm authenticating using a require valid-user at .htaccess
> > But I need to add more directives to authenticate the access by Referer.
> >
> > If the user comes from a specific referer, the user doesn't have to
> receive
> > the authentication box and bypass the authentication.
>
> First I must say that it's IMHO not a wise thing to do!
> Keep in mind that the Referer can be forged at wish one by any user,
> fooling your authorizations...
>
> >
> > Is that possible?
>
> If you really want to though, possibly something like:
>
> >
> > My .htaccess file is:
> >
> > AuthName "My Security Area"
> > AuthType Basic
> > AuthUserFile /myusersfilepath/
>
> SetEnvIf Referer ^https?://my.referer.host/and/path let_me_in
> Require env let_me_in
> > require valid-user
>
> in that order.
>
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] .htaccess
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Rondon,
On Fri, Sep 15, 2017 at 12:27 AM, Rondon <dj...@gmail.com> wrote:
> Hi Folks,
>
> Sorry to bother you.
> My website is using apache at Dreamhost.
>
> I'm authenticating using a require valid-user at .htaccess
> But I need to add more directives to authenticate the access by Referer.
>
> If the user comes from a specific referer, the user doesn't have to receive
> the authentication box and bypass the authentication.
First I must say that it's IMHO not a wise thing to do!
Keep in mind that the Referer can be forged at wish one by any user,
fooling your authorizations...
>
> Is that possible?
If you really want to though, possibly something like:
>
> My .htaccess file is:
>
> AuthName "My Security Area"
> AuthType Basic
> AuthUserFile /myusersfilepath/
SetEnvIf Referer ^https?://my.referer.host/and/path let_me_in
Require env let_me_in
> require valid-user
in that order.
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org