You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Myles Wakeham <my...@techsol.org> on 2008/01/18 23:27:28 UTC
[users@httpd] Looking for suggestions for URL redirection
Hi there, I hope that someone might have an idea or suggestion to help me
here.
I have a web application running on Linux in Apache 2, php5. The
application manages a media database that is accessed by subscription. The
content is served off separate Apache servers - some are located in
different geographic regions. All users access the content by common URL,
such as http://www.maindomain.com/123/file.avi
I use .htaccess with mod_rewrite to modify the incoming URL to a PHP script
such as http://www.maindomain.com/getfile.php?user=123
<http://www.maindomain.com/getfile.php?user=123&file=file.avi>
&file=file.avi
This works great and the PHP script is called, logs the request, checks the
user's subscription rights, and if ok redirects them to the actual file to
obtain by way of a Header() command (ie. Modifies the HTTP header to do a
Location: .. To where the file actually resides).
Although this works perfectly, the problem is that the user's browser will
change to reflect the endpoint URL where the file actually resides. Users
then simply have been cutting & pasting this URL into their own websites and
providing unaudited access to the raw file directly and bypassing our
script.
I need to find a way to do this without displaying the endpoint URL to the
user in anyway. But it has to be able to be done through a PHP script.
Clearly Header() in PHP isn't cutting it. I also have to use Apache at each
endpoint web server location.
I'm wondering if anyone has a suggestion on how best to do this? Can I
install something in .htaccess on the endpoint server end to reject incoming
requests that are not via authenticated redirects? Can I use the
HTTP_REFERRER in some way to ensure that what has come to this server came
by way of a legitimate referral?
All ideas are greatly appreciated.
Thanks
Myles
RE: [users@httpd] Looking for suggestions for URL redirection
Posted by Myles Wakeham <my...@techsol.org>.
Thank you for this suggestion. I think I can see a way of doing it with
mod_rewrite.
Much appreciated.
Myles
-----Original Message-----
From: Michael McGlothlin [mailto:michaelm@swplumb.com]
Sent: Friday, January 18, 2008 3:37 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Looking for suggestions for URL redirection
I'd suggest using RewriteCond's in Apache to check the request headers
for the right behavior and to deny if not right.
>
> Hi there, I hope that someone might have an idea or suggestion to help
> me here.
>
> I have a web application running on Linux in Apache 2, php5. The
> application manages a media database that is accessed by subscription.
> The content is served off separate Apache servers - some are located
> in different geographic regions. All users access the content by
> common URL, such as http://www.maindomain.com/123/file.avi
>
> I use .htaccess with mod_rewrite to modify the incoming URL to a PHP
> script such as
> http://www.maindomain.com/getfile.php?user=123&file=file.avi
> <http://www.maindomain.com/getfile.php?user=123&file=file.avi>
>
> This works great and the PHP script is called, logs the request,
> checks the user's subscription rights, and if ok redirects them to the
> actual file to obtain by way of a Header() command (ie. Modifies the
> HTTP header to do a Location: .. To where the file actually resides).
>
> Although this works perfectly, the problem is that the user's browser
> will change to reflect the endpoint URL where the file actually
> resides. Users then simply have been cutting & pasting this URL into
> their own websites and providing unaudited access to the raw file
> directly and bypassing our script.
>
> I need to find a way to do this without displaying the endpoint URL to
> the user in anyway. But it has to be able to be done through a PHP
> script. Clearly Header() in PHP isn't cutting it. I also have to use
> Apache at each endpoint web server location.
>
> I'm wondering if anyone has a suggestion on how best to do this? Can I
> install something in .htaccess on the endpoint server end to reject
> incoming requests that are not via authenticated redirects? Can I use
> the HTTP_REFERRER in some way to ensure that what has come to this
> server came by way of a legitimate referral?
>
> All ideas are greatly appreciated.
>
> Thanks
>
> Myles
>
--
Michael McGlothlin
Southwest Plumbing Supply
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Looking for suggestions for URL redirection
Posted by Michael McGlothlin <mi...@swplumb.com>.
I'd suggest using RewriteCond's in Apache to check the request headers
for the right behavior and to deny if not right.
>
> Hi there, I hope that someone might have an idea or suggestion to help
> me here.
>
> I have a web application running on Linux in Apache 2, php5. The
> application manages a media database that is accessed by subscription.
> The content is served off separate Apache servers – some are located
> in different geographic regions. All users access the content by
> common URL, such as http://www.maindomain.com/123/file.avi
>
> I use .htaccess with mod_rewrite to modify the incoming URL to a PHP
> script such as
> http://www.maindomain.com/getfile.php?user=123&file=file.avi
> <http://www.maindomain.com/getfile.php?user=123&file=file.avi>
>
> This works great and the PHP script is called, logs the request,
> checks the user’s subscription rights, and if ok redirects them to the
> actual file to obtain by way of a Header() command (ie. Modifies the
> HTTP header to do a Location: …. To where the file actually resides).
>
> Although this works perfectly, the problem is that the user’s browser
> will change to reflect the endpoint URL where the file actually
> resides. Users then simply have been cutting & pasting this URL into
> their own websites and providing unaudited access to the raw file
> directly and bypassing our script.
>
> I need to find a way to do this without displaying the endpoint URL to
> the user in anyway. But it has to be able to be done through a PHP
> script. Clearly Header() in PHP isn’t cutting it. I also have to use
> Apache at each endpoint web server location.
>
> I’m wondering if anyone has a suggestion on how best to do this? Can I
> install something in .htaccess on the endpoint server end to reject
> incoming requests that are not via authenticated redirects? Can I use
> the HTTP_REFERRER in some way to ensure that what has come to this
> server came by way of a legitimate referral?
>
> All ideas are greatly appreciated.
>
> Thanks
>
> Myles
>
--
Michael McGlothlin
Southwest Plumbing Supply
Re: [users@httpd] Looking for suggestions for URL redirection
Posted by so...@apache.org.
On 1/18/08, Myles Wakeham <my...@techsol.org> wrote:
> I have a web application running on Linux in Apache 2, php5. The
> application manages a media database that is accessed by subscription. The
> content is served off separate Apache servers – some are located in
> different geographic regions. All users access the content by common URL,
> such as http://example.com/123/file.avi
>
> I use .htaccess with mod_rewrite to modify the incoming URL to a PHP script
> such as
> http://example.com/getfile.php?user=123&file=file.avi
>
> The PHP script is called, logs the request, checks the
> user's subscription rights, and if ok redirects them to the actual file to
> obtain by way of a Header() command (ie. Modifies the HTTP header to do a
> Location: …. To where the file actually resides).
>
> Although this works perfectly, the problem is that the user's browser will
> change to reflect the endpoint URL where the file actually resides. Users
> then simply have been cutting & pasting this URL into their own websites and
> providing unaudited access to the raw file directly and bypassing our
> script.
>
> I need to find a way to do this without displaying the endpoint URL to the
> user in anyway. But it has to be able to be done through a PHP script.
> Clearly Header() in PHP isn't cutting it. I also have to use Apache at each
> endpoint web server location.
>
> I'm wondering if anyone has a suggestion on how best to do this? Can I
> install something in .htaccess on the endpoint server end to reject incoming
> requests that are not via authenticated redirects? Can I use the
> HTTP_REFERRER in some way to ensure that what has come to this server came
> by way of a legitimate referral?
>
> All ideas are greatly appreciated.
>
> Thanks
> Myles
You have two issues.
1. How to redirect so browsers do not learn the address of the media servers.
2. How to block direct access to the media servers.
The first issue is the URLs are redirecting to the media server. You
do not want redirection; you want proxy. The media should come from
the main server during the request that activated the PHP script. The
second issue can be solved with firewalls.
This ML would be good for explaining how Apache httpd security could
work with your authorization system. By your specification, this is a
PHP issue and does not belong on the httpd ML as you prohibited
non-PHP solutions. This code should send the file as the response to
the current request:
HttpResponse::setFile("http://media.example.com/file.mpg");
solprovider
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org