You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Gary W. Smith" <ga...@primeexalia.com> on 2005/05/31 19:54:00 UTC

[users@httpd] RewriteRule question

I have been trying to implement a restriction list on server by referrer
only.  It doesn't seem to be working.  I have a directory called restricted
that holds some PDF (as well as other) documents that I want to prevent
access to unless they have clicked the link on our site.  Most of this is
for user tracking.

I have the following rule in place:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(10\.20\.30\.40)/.*$ [NC]
RewriteRule ^/restricted/.+ - [F]

But it doesn't seem to protect anything in that directory if I just type in
the URL.  To make things a little more interesting I have two IP's on that
box.  The second IP (.41) should always get a restricted page based on the
above rules.

Can anyone obviously wrong with this?

Any help would be greatly appreciated.

Gary Smith


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RewriteRule question

Posted by Noah <si...@onastick.net>.

On Tue, May 31, 2005 at 12:33:35PM -0700, Gary W. Smith wrote:
> I have also tried 
> 
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} ^$
> RewriteCond %{HTTP_REFERER} !^http://(10\.20\.30\.40)/.*$ [NC]
> RewriteRule ^/restricted/.+ - [F]
> 
> And 
> 
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !^http://(10\.20\.30\.40)/.*$ [NC]
> RewriteRule ^/restricted/.+ - [F]
> 
> As well.  I think the the first conditional like should have been removed
> but I left it there during some of the test cases.

For debugging (and *only* for debugging; do not do this on a production
server), set:

RewriteLog /path/to/rewrite.log
RewriteLogLevel 9

mod_rewrite's debug logging is quite verbose, and should help you
isolate the issue. As an aside, the parentheses around the IP address in
your regex are not needed, and may result in a slight performance hit.

--n

-- 
When the need arises -- and it does -- you must be able to shoot your own 
dog. Don't farm it out -- that doesn't make it nicer, it makes it worse.
                                        --Robert A. Heinlein

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RewriteRule question

Posted by "Gary W. Smith" <ga...@primeexalia.com>.

I have also tried 

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP_REFERER} !^http://(10\.20\.30\.40)/.*$ [NC]
RewriteRule ^/restricted/.+ - [F]

And 

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(10\.20\.30\.40)/.*$ [NC]
RewriteRule ^/restricted/.+ - [F]

As well.  I think the the first conditional like should have been removed
but I left it there during some of the test cases.

Still it doesn't work.

Gary


On 5/31/05 11:46 AM, "Arne Heizmann" <Ar...@csr.com> wrote:

> Gary W. Smith wrote:
>> 
>> I have the following rule in place:
>> 
>> RewriteEngine on
>> RewriteCond %{HTTP_REFERER} !^$
>> RewriteCond %{HTTP_REFERER} !^http://(10\.20\.30\.40)/.*$ [NC]
>> RewriteRule ^/restricted/.+ - [F]
> 
> So suppose I go in with an empty referrer. The first condition is false.
> Therefore the rule is not applied, therefore I am granted access.
> 
> Perhaps you meant ^$ rather than !^$. But notice that testing for empty
> referrer is redundant, because the second condition will already catch
> it. So I guess it's enough to make that your only condition.
> 
> Timwi
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RewriteRule question

Posted by Arne Heizmann <Ar...@csr.com>.

Gary W. Smith wrote:
> 
> I have the following rule in place:
> 
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !^$
> RewriteCond %{HTTP_REFERER} !^http://(10\.20\.30\.40)/.*$ [NC]
> RewriteRule ^/restricted/.+ - [F]

So suppose I go in with an empty referrer. The first condition is false. 
Therefore the rule is not applied, therefore I am granted access.

Perhaps you meant ^$ rather than !^$. But notice that testing for empty 
referrer is redundant, because the second condition will already catch 
it. So I guess it's enough to make that your only condition.

Timwi

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org