I've searched for solutions and not finding a clear answer - It's a little out of my field but I need to find an answer in a pinch.
I use an .htaccess to verify and allow access to certain webpages from outside links.
here's a sample of what I use:
AuthUserFile /dev/null
AuthGroupFile /dev/null
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.website_abc.com/
RewriteCond %{HTTP_REFERER} !^http://www.website_xyz.com/
RewriteRule /* http://www.mysite.com/denied_message.php [R,L]
this works as I want it to - I list the sites that I want to access and park .htaccess in a root directory.
My problem is when someone is linking from HTTPS it block's them even if they are in the list (and I tried putting https in the list as well).
I found various answers but none that I fully understood or that did the trick.
one was using :
RewriteCond %{HTTPS} on
but that allowed anyone in from any location.
Can someone spell this out for me?
apache / LAMP
Thanks!
RewriteCond %{HTTPS} on
This adds a condition that the actual request for your site is through HTTPS. You only want to match the referer. I'm not sure what you've tried as far as adding https:// versions of what you have in your referer checks, but this works when I put them in a blank htaccess file:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.website_abc.com/
RewriteCond %{HTTP_REFERER} !^http://www.website_xyz.com/
RewriteCond %{HTTP_REFERER} !^https://www.website_abc.com/
RewriteCond %{HTTP_REFERER} !^https://www.website_xyz.com/
RewriteRule /* http://www.mysite.com/denied_message.php [R,L]
Related
I have created a redirect that redirects the user to the mobile site when on a mobile device, however it is only working on the homepage? How do I get it to work for all pages?
This is the code I have:
RewriteEngine On
# Check for mime types commonly accepted by mobile devices
RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC]
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^ https://m.my-website.com%{REQUEST_URI} [R,L]
I am a novice when it comes to .htaccess files so any help is greatly appreciated.
As anubhava sir already mentioned about removing the condition + I am trying to improve your code too, have your htaccess in following way:
Rewriteengine ON
RewriteCond %{HTTP_ACCEPT} (?:text\/vnd\.wap\.wml)|(?:application\/vnd\.wap\.xhtml\+xml) [NC]
RewriteRule ^ https://m.my-website.com%{REQUEST_URI} [NE,R,L]
I have added NE flag(check documentation https://httpd.apache.org/docs/2.4/rewrite/flags.html#page-header for more details on it) to your redirect rule, then I have created non-capturing group to segregate your patterns check in your condition check part, to make it much clearer.
I want to block access to my .html files to those who do not come from a specific referrer. Referrer domain is not primary domain. (referrer domain looks like this: http://sub.domain.com/3452434512 where this part: "3452434512" is always different)
This is how my .htaccess file looks like (found example on apache.org):
RewriteEngine on
RewriteCond "%{HTTP_REFERER}" "!subdomain.example.com" [NC]
RewriteRule "\.html" "http://redirect.here.com" [R]
But it does not work, it redirects all traffic to redirect domain. Where is the mistake?
Found several older (from 2004 and 2009) examples that did not work either.
EDIT: Version of Apache is 2.2 so I tried this version:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !subdomain.example.com [NC]
RewriteRule \.(html|jpg|png|php)$ http://redirect.here.com [R,NC]
But this didnt work too.
I have been stuck on this problem for hours and cannot find a suitable solution. I am running an ecommerce CMS from a directory eg. mywebsite.com/store/
/ has an .htaccess file which doesn't seem to change anything in /store/
/store/ has its own .htaccess file which i have been adding changes too
I have been trying to restrict access to the admin panel using the following rule to only 2 IP addresses.
RewriteCond %{REQUEST_URI} !^/store/?(index.php/)?admin123/ [NC]
RewriteCond %{REMOTE_ADDR} !^185.66.7.254$ [OR]
RewriteCond %{REMOTE_ADDR} !^217.41.62.40$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
However the major problem is that this redirects all users going to any URL not containing /admin123/ to /, otherwise it works as expected in restricting admin panel. How do I fix this?
UPDATE 08/02: As of yet I still have not found a workable solution to this issue, at best I can blacklist ISP IPs to the whole /store/ folder using "deny from"
Try to define the base path:
RewriteEngine On
RewriteBase /store/
Recently I have encounter a strange issue , my website www.xyz.com is being pointed by some one on the web domain let suppose www.abc.com.
Though the whole website is on www.xyz.com but the other domain display every single content and directory path structure by their domain...e.g. the real path is www.xyz.com/somepage/id/etc can be work by www.abc.com/somepage/id/etc with same directory paths....
This other website is just redirecting everything to my website and I want to stop this domain to use my directory structure. This www.abc.com is also being crawled by Google crawler and added its link in Google search engine.
This is a very new issue to me I have one solution to restrict every single request and check if its from my own website or not.
Second solution is to restrict them through htaccess but I don't find perfect solution using htaccess.
I saw on the web it stop all the referrer, but doing that I am afraid if it will stop users coming from other website to my website ...I just need to restrict other domains to use my whole website as theirs using redirection...i have taken this issue on go daddy and they said they also don't know why the other website is pointing to my ip address ... so clueless I need expert advice to secure my website from future issues like this ...kindly advice...
My htaccess is
Options +FollowSymLinks
IndexIgnore */*
RewriteEngine on
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule . index.php
and i am using YII...
You can place this rule just below RewriteEngine On line:
RewriteEngine On
RewriteCond %{REMOTE_HOST} abc\.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} abc\.com$ [NC,OR]
RewriteCond %{HTTP_HOST} !xyz\.(com|net)$ [NC]
RewriteRule ^ - [F]
In your .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.xyz\.com$
RewriteCond %{HTTP_HOST} !^subdomain\.xyz\.com$
RewriteRule .* - [F]
I want to know how to prevent hotlinking to resources on my site without hard coding the domain name.
I need this since the software will be used for multiple domains, and may be used as an installation. It would not be feasible to instruct every user to make changes in the htaccess file to enter their current domain.
I have come across a lot of code similar to this. but here as you can see you have to enter the domain name.
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !www.example.com [NC]
RewriteRule \.(gif|jpg|png)$ - [F,NC]
I have also come across the below snippet from this apache page, which seems to solve the problem. But for some reason cant get it to work.
RewriteCond expr "! %{HTTP_REFERER} -strmatch '*://%{HTTP_HOST}/*'"
RewriteRule ^/images - [F]
Note: i have set up a local domain name to perform the tests. so i access my site as mysite.local instead of localhost/mysite
Is there a way i can prevent hotlinking without hard-coding the domain name in the htaccess ?
Looking at the 2.2 documentation, I think it's actually a lot more simple back then than in 2.4. But test to be sure:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST} [NC]
RewriteRule ^/images - [F]