How to disallow, anyone but an IP address access

Forum Moderators: phranque

Message Too Old, No Replies

How to disallow, anyone but an IP address access

I want to only allow one or more IP addresses access to any file in a folde

DKDiveDude

11:32 pm on Feb 23, 2004 (gmt 0)

Please forgive me if this have already been covered. If it has please guide me towards the thread.

Anyways, I want to ONLY allow one or more IP addresses access to files in a folder and it's subfolders, and NOT via a browsers URL address field either.

With my limited knowledge, I guess it should look something like this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER}!69.56.255.53
RewriteRule \.$ - [F,NC]

Even if the above is right, how do I then add one more IP address?

jdMorgan

2:19 am on Feb 24, 2004 (gmt 0)

Do you want to allow users at a single IP address to access the pages, or users referred from a single IP address?

What you've got is for referrers.

This would allow only the two computers at the specified IP addresses to access the files:


RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.89$
RewriteCond %{REMOTE_ADDR} !^123\.45\.67\.90$
RewriteRule ^subfolder_name - [F]

Jim

DKDiveDude

2:56 am on Feb 24, 2004 (gmt 0)

Thanks for your reply Jim. Let me try and explain what I need.

I want to limit access to a particular folder, for only one IP address, as in my example.

This IP address is actually several websites, sharing the same IP address.

I guess I could use the sites "normal" domain names as a filter, but there is 15+ sites, which all share the same IP address.

I only want that one particular website to access files, all types, in on particular folder on another website. The access comes from links on those sites, sharing that IP address, and those only. Nobody else, not even a direct access (hotlinking) through a web browser is to be allowed access.

Does this help?

jdMorgan

3:24 am on Feb 24, 2004 (gmt 0)

> The access comes from links on those sites, sharing that IP address, and those only.

Then it sounds like you need to use {HTTP_REFERER}.

Be advised that HTTP_REFERER is not reliable. In order to avoid problems, you will have to allow blank referers, which opens a "hole" in your blocking. But if you don't allow blank referers, then your visitors will have problems if they come through a caching proxy - such as those used by AOL and other ISPs. That said, here's the "standard" code:


RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?thesitetobeallowed\.com/allowedsubfolder/
RewriteCond %{HTTP_REFERER} !^http://(www\.)?anothersitetobeallowed\.com/allowedsubfolder/
RewriteRule .* - [F]

If access is attempted from any other sites or subfolders, it will fail as long as referer data is available.

Remember to flush your browser cache before each test.

Jim

DKDiveDude

6:01 pm on Feb 24, 2004 (gmt 0)

Thanks Jim, however I need to disallow blank referers.

You see this access is for files, only allowed to members of other websites, all sharing the same IP address. Access comes from hyperlinks on those sites, no matter which folder these pages with links it might be. (I think you misunderstood me earlier).

Files is stored on another website in a particular folder, a folder which I want to protect.

I had hoped I could just have one HTTP_REFERER statement, since these sites all share the same IP address, something like this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER}!69.56.255.53
RewriteRule .* - [F]

But if this is NOT possible, I guess I need the following, for about 15 website domain names, which is not that elephant and slows down things a bit:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?(website1�website2�website3�web ... site14�website15)\.com [NC]
RewriteRule .* - [F]

Correct?

[edited by: jdMorgan at 8:14 pm (utc) on Feb. 24, 2004]
[edit reason] Fix long line wrapping [/edit]

jdMorgan

8:25 pm on Feb 24, 2004 (gmt 0)

> In order to avoid problems, you will have to allow blank referers.

There's nothing you can do about that - it is a fact that you cannot rely on HTTP_REFERER being present.

I suggest you look into other authentication methods, such as serving the images with script, using session IDs, or proxying connections from the "front-end" sites to the image server (in this case, the image server will be set up to reject connections from any other machines). There are lots of ways to do it, but HTTP_REFERER is only for "good enough" security.

Access by referer is not going to work for you in a commercial environment, because you have to make a choice; either allow blank referers, or block 15% of your logged-in, validated users.

For example, take a look at your raw server log files, and look at AOL accesses - almost none of them will have a referer, because the AOL caching system acts as a proxy for AOL users. Then you've got users behind firewalls -- corporate network firewalls, Zone Alarm, Norton Internet Security, all of which can be set to block referers, some without the user being aware of it. This can be a public-relations and help-desk disaster for a commercial site.

Jim

DKDiveDude

5:39 pm on Mar 23, 2004 (gmt 0)

Hi JD,

where do I start to look for "proxying connections from the "front-end" sites to the image server"?

I am blank on the subject.

I have a dedicated Linux Server, so I can and will do whatever it takes, to protect some content.

Thanks

jdMorgan

6:56 pm on Mar 23, 2004 (gmt 0)

Start here [httpd.apache.org] -- You will be configuring a reverse proxy for your specific application.

Jim