Securing all files but index.html

Forum Moderators: phranque

Message Too Old, No Replies

Securing all files but index.html

aleeesashaaa

9:56 am on Dec 22, 2009 (gmt 0)

Hello,
I'm trying to allow access from all only for the index.html file, while all other files should be accessible only from my website requestes.

mysite.com/index.html (allowed)
mysite.com/a.html (allowed only if come from index.html, otherwise denied)
mysite.com/b.html (allowed only if come from index.html, otherwise denied)
etc

For all denied requests, it should be redirected to the homepage
Is it possible?

I tried this:

Order deny,allow
deny from All
allow from mysite.com
<FilesMatch "(index)\.html$">
allow from All
</FilesMatch>

But it doesn't redirect and it doesn't work :(

g1smd

10:36 am on Dec 22, 2009 (gmt 0)

You can do this with cookies and a bit of PHP scripting.

Give the user a cookie when they visit the URL www.example.com/

If a user arrives at any other URL without the cookie, send a 301 HTTP HEADER redirecting them to "/".

Don't link to "/index.html" on your site. Link to "/" instead.

aleeesashaaa

11:20 am on Dec 22, 2009 (gmt 0)

So it isn't feasible using .htaccess only? Right?

jdMorgan

10:10 pm on Dec 22, 2009 (gmt 0)

No, because .htaccess --in fact the entire Apache server-- has no 'memory' of previous transactions; Each HTTP request is handled as if it was the very first and last request ever.

You'll find HTTP Referer-based solutions on the Web. But the problem is that the HTTP Referer header is utterly unreliable: It may not be present at all (for example if the URL is typed-in or if the request is from a caching proxy such as those used by AOL and EarthLink), or it may be faked -- and that's easy to do. Therefore, Referer-based access controls are not reliable, and g1smd has recommended the best solution.

Jim

aleeesashaaa

11:22 pm on Dec 22, 2009 (gmt 0)

When I say "accessible if come from index.html" i mean that the request comes from the mysite.com domain... I don't need to know it the request come from index.html page, so I don't need for "memory" of previous transactions. I only want allow access to index.html, no matter who request it; and deny access for all other files if the request doesn't come from mysite.com domain...

jdMorgan

2:29 am on Dec 23, 2009 (gmt 0)

You are clearly asking for a referer-based solution. It won't work well, because you *must* allow for blank referers. If you need better control, use cookies.


ErrorDocument /403-error.html
#
Options +FollowSymLinks -MultiViews
RewriteEngine on
#
RewriteCond $1 !^(index\.html)?$
RewriteCond $1 !^403-error\.html$
RewriteCond %{HTTP_REFERER} !^(https?;//(www\.)?example\.com.*)?$ [NC]
RewriteRule ^(.*)$ - [F]

This will return a 403-Forbidden response if the request is not for "/index.html", "/", or the custom 403 error document (shown here as "403-error.html"), and if the HTTP Referer header is non-blank and not from your own domain. Put a link to your home page on the 403 custom error page, a polite but concise explanation of the problem, and possibly links to your site search, major catogory pages, etc.

This will work to block off-site-referred visitors about 60% of the time. The rest of the time, the referrer will be legitimately blank or spoofed.

Jim

aleeesashaaa

1:13 am on Dec 31, 2009 (gmt 0)

Thank you very much.
I'll search for a good tutorial on htaccess allowed commands (I mean, the tutorial I've seen until now tells about

Order deny,allow
deny from All

But it doesn't speak about RewriteCond, RewriteRule etc. :(