Protecting one file with RewriteCond

Forum Moderators: phranque

Message Too Old, No Replies

Protecting one file with RewriteCond

DNCamper

2:25 am on Jan 7, 2005 (gmt 0)

I would like to protect one file in a directory with my .htaccess using rewrite

and this is my code that does not seem to work:

<files "file.cgi">
deny from all
</files>
RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://my.site.com/producers/secure [NC]
RewriteCond %{HTTP_REFERER}!^http://my.site.com/users/secure [NC]
RewriteCond %{HTTP_REFERER}!^http://my.site.com/webmasters/secure [NC]
RewriteRule /* [my.site.com...] [R,L]

PS...I do have cgi access in all dir's so that is not the issue.

Thanmks a bunch!

jdMorgan

12:30 am on Jan 9, 2005 (gmt 0)

DNCamper,

I've looked at your code, and can't figure out how the various parts of it relate to what you're trying to achieve. "deny from all" is a mod_access directive, and then that's followed by your mod_rewrite stuff, which apparently controls access to a file named "/" or any number of "/" characters.

So, I don't get it. Please explain what file(name) you are trying to control access to, and under what circumstances you wish to allow and/or deny access. If access is denied, what server response do you wish to generate?

Jim

DNCamper

5:00 am on Jan 9, 2005 (gmt 0)

I would like to protect the "file.cgi" from all users except the the 3 groups coming from the specified directoried. The 3 user groups are controlled from 3 different .htaccess and .htpasswd files in thier respective directories. Once they log in I woul like them to each have access to the file.cgi that is in the root directory, but I don't want access to that file from the public.

If it were just one group of users I could use:

<files "file.cgi">
AuthUserFile D:\producers\.htpasswd
AuthType Basic
AuthName "Producers"
require valid-user
</files>

but I need it to grant access to 3 .htpasswd files or users coming from those 3 directories:

users
producers
webmasters

jdMorgan

4:33 pm on Jan 9, 2005 (gmt 0)

Rather than depend on HTTP_REFERER, which is notoriously unreliable and blocked by many caching proxies and Norton Internet Security, I'd suggest you use mod_alias to "put a copy" of your cgi under each authorized directory. When you alias a script, it just appears to be in the directory structure where you've aliased it -- it's not really copied there. But this allows you to run the script as if it were in that directory/authentication domain, and so would allow you to use simple mod_access code to control access.

If you use HTTP_REFERER, and this is a "paid membership" site, then you will need a 24/7 help desk to answer questions from your users who can't access the site due to problems with HTTP_REFERER.

Jim

DNCamper

3:10 am on Jan 11, 2005 (gmt 0)

ok that sounds like it would work...now where does it go?

In the <VirtualHost> container?
Alias /content/%0/secure/file.cgi D:/usr/htdocs/content/file.cgi

so far that returns a 404