Re: avoid user direct accec *.html
On Tue, Apr 30, 2002 at 02:12:03AM +0800, Patrick Hsieh wrote: If I want to avoid user to directly access my .html files, say type the complete url in the browser, is it possible? In PHP, I can check the HTTP_REFERER to make sure connections originates from the same website. If the HTTP_REFERER is empty or not belongs to the same website, I can redirect the client to another webpage. However, when it comes to static .html or even .jpg files, is it possible to configure apache to avoid that situation? no. you can't trust user-supplied data such as HTTP_REFERER for anything. security based on HTTP_REFERER is as dumb as security based on IP address. it doesn't work, and it can't work (sorry, but sort of works sometimes in conditions completely outside of my control does not qualify as works). some browsers don't provide HTTP_REFERER, and some privacy-enhancing proxies strip it from all requests. in addition, it is trivially easy for anyone to forge HTTP_REFERER in any request. if you don't want static html (or any other file type) to be directly fetchable by end-users then don't put them under your document root. alternatively, use a real authentication method to restrict access. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: avoid user direct accec *.html
Hello Craig Sanders [EMAIL PROTECTED], I was considering to put static files outsides documentroot, however, I'm afraid it will add the directory complexity. And you said a real authentication method could useful. How? Since they are just static files, I can't embed authentication in them, right? On Tue, 30 Apr 2002 14:07:21 +1000 Craig Sanders [EMAIL PROTECTED] wrote: On Tue, Apr 30, 2002 at 02:12:03AM +0800, Patrick Hsieh wrote: If I want to avoid user to directly access my .html files, say type the complete url in the browser, is it possible? In PHP, I can check the HTTP_REFERER to make sure connections originates from the same website. If the HTTP_REFERER is empty or not belongs to the same website, I can redirect the client to another webpage. However, when it comes to static .html or even .jpg files, is it possible to configure apache to avoid that situation? no. you can't trust user-supplied data such as HTTP_REFERER for anything. security based on HTTP_REFERER is as dumb as security based on IP address. it doesn't work, and it can't work (sorry, but sort of works sometimes in conditions completely outside of my control does not qualify as works). some browsers don't provide HTTP_REFERER, and some privacy-enhancing proxies strip it from all requests. in addition, it is trivially easy for anyone to forge HTTP_REFERER in any request. if you don't want static html (or any other file type) to be directly fetchable by end-users then don't put them under your document root. alternatively, use a real authentication method to restrict access. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: avoid user direct accec *.html
On Mon, 2002-04-29 at 20:12, Patrick Hsieh wrote: If I want to avoid user to directly access my .html files, say type the complete url in the browser, is it possible? In PHP, I can check the HTTP_REFERER to make sure connections originates from the same website. If the HTTP_REFERER is empty or not belongs to the same website, I can redirect the client to another webpage. However, when it comes to static .html or even .jpg files, is it possible to configure apache to avoid that situation? We use mod_rewrite to block external websites from directly linking to images on one of our websites. Based on the situation, we either return a 403 Forbidden code or provide a watermarked version of the requested image. Please keep in mind the advice given by others on this list that you can't thrust user-supplied data. You can't use HTTP_REFERER to protect your data, but it's a great tool to stop external websites from stealing your bandwidth. -- Tot ziens, Bart-Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: avoid user direct accec *.html
Not sure I understand your question. -- Arthur H. Johnson II Senior Systems Engineer The Linux Box 206 S. Fifth Ave. Suite 150 Ann Arbor, MI 48104 tel. 734-761-4689 fax. 734-769-8938 pgr. 734-882-0323 On Mon, 29 Apr 2002, Patrick Hsieh wrote: Hello, In apache, if I want to avoid user directly access .html or .htm file, is it possible? I hope user will always use http://domain.con/dir/ or http://domain.con/dir/index.php, instead of direct access static .html or .htm file(referral access is ok). Is it possible in configuration? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: avoid user direct accec *.html
PH == Patrick Hsieh [EMAIL PROTECTED] writes: [...] PH In PHP, I can check the HTTP_REFERER to make sure connections PH originates from the same website. If the HTTP_REFERER is empty PH or not belongs to the same website, I can redirect the client PH to another webpage. [...] Please do NOT do this. It will seem to work most of the time, but it will most certainly fail for perfectly valid requests. Both HTTP 1.0 and 1.1 leave it as optional. If you must control access in this manner I'd say use some session mechanism or come up with a method that doesn't break under perfectly valid client behaviour. cheers, BM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
avoid user direct accec *.html
Hello, In apache, if I want to avoid user directly access .html or .htm file, is it possible? I hope user will always use http://domain.con/dir/ or http://domain.con/dir/index.php, instead of direct access static .html or .htm file(referral access is ok). Is it possible in configuration? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]