I have an web application server sit behind an apache reverse proxy server and there is a web portal in front of the reverse proxy.

web portal <> reverse proxy <> web application

I want to restrict user to access the web app server only through the web portal. I have tried to use the RewriteCond %{HTTP_REFERER} to check if the request is refer from the web portal. But then I encounter a problem, since the web page of the web application server display some direct links on its page (e.g. href=/test/image.gif), the %{HTTP_REFERER} blocked these access as well (HTTP_REFERER = ""}, and I cannot do any modification on the web application.

Is there anyway I could restrict direct access to the web application while allowing the direct link on itself to work? Or can I check if the request is from the page itself?