Allow only some domains in .htaccess

johannes.kepler · 12-19-2015, 02:38 PM

Hi,

I'm trying to allow only certain domais and subdomains to access a specific folder in my domain.

Actually, I have one subdomain, sub.domain.com, in a dir called sub in my domain.com

What I want is that the user must call one page like sub.domain.com/page.html but from the right referrer.
No other domains might call it unless they are authorized (like domain1.com or domain2.com for instance)

Also, in those authorized domains, they migh be in the form www.domain1.com

I'm trying the following:

AuthType Basic
<Limit GET>
order deny,allow
deny from all
allow from .domain.com
allow from .sub.domain.com
allow from .domain1.com
allow from .domain2.com
</Limit>

but I get an 403 for all!!!

Any ideas?

Kind regards,

JKepler

Turbocapitalist · 12-21-2015, 07:18 AM

(I'd move your tries out of .htaccess and put it in the proper configuration file, if you have access. Use of the .htaccess files is generally to be avoided because it complicates things, usually unnecessarily.)

About allow and deny, they are affected by the host the user is actually connecting from and have nothing to do with the "referer" field. What you'll want will most likely involve using variables inside Apache. Here is a starting point:

https://httpd.apache.org/docs/2.4/en...ml#image-theft

Note that headers can be forged so you are not going to be providing any serious access control using that method, just a nudge in the direction you want.

johannes.kepler · 12-23-2015, 09:34 AM

Hi,

I thought in using the Javascript hostname variable. But can this be faked as well? I've made a small script that checks this variable and if it's different of the authorized webasite A it redirects to a denied.html page. The hacker can read the code, but can he change it?

Another idea is this:
- the website A calls a script from my website requesting a key (which contains - encrypted) the date and time of the request). This key is saved both in website A and mine (website B) in file.txt
- The website A calls then the main script. My website checks the referer, and pulls the info from file.txt It checks then the information saved from both servers. If there's no match, the request is denied.

I think this might work; the hacker cannot change the info in file.txt - he can only read it. But my script will get the info only from the authorized website A. If the referer is spoofed, file.txt is not. file.txt is, in fact, a sort of the "website A cookie"....

Can this work?...

Regards,

JKepler