htaccess HELP!

[Jace]

I have a site/directory that I only want myself and my partner to be able to load up

I was going to use a deny all ip's but ours, but the issue is that we have other sites that pull images from this domain

so, how can I restrict anyone but us two from that domain, but allow images to be pulled from ANY domain from there?

[Jace]

basically, the issues is, we have an important control panel on that domain, and I want only us to access that control panel...it is already password protected to get into the control panel....but I still want that extra level of htaccess control to only allow our ip's

[fris]

restrict the main url and let images directory be readable from all

[mortenb]

Ignore me. I misread your post

[V_RocKs]

Or... put the control panel in a directory like,
58ju4Tg
and then restrict access in that directory.

[Jace]

Quote:

Originally Posted by V_RocKs

Or... put the control panel in a directory like,
58ju4Tg
and then restrict access in that directory.

well, the control panel is in a directory, but I want to block access to the entire domain

the images folder is WITHIN the control panel directory though

[BV]

maybe do a symbolic link of the images dir or move the control panel to another dir

[Beaver Bob]

why can't you just store the images somewhere else?

[V_RocKs]

What types of images?

[Jace]

Quote:

Originally Posted by Beaver Bob

why can't you just store the images somewhere else?

it is part of the control panel software and the software is zend encoded with no option to place them elsewhere

[V_RocKs]

ie, just gif, jpg?

[Jace]

Quote:

Originally Posted by V_RocKs

What types of images?

all types

[Evil E]

slkfjaldika;ie';1190-9

[BV]

Quote:

Originally Posted by Jace

it is part of the control panel software and the software is zend encoded with no option to place them elsewhere

u can with a symbolic link of that directory

[Jace]

Quote:

Originally Posted by BV

u can with a symbolic link of that directory

no, i can't...I wish I could though

it HAS to be the way I am saying

I need something in htaccess that blocks EVERYONE out of that domain except our 2 ip's, but allows external sites to access the images in domain.com/cp/images/

[dissipate]

Hire a midget to protect it.

[V_RocKs]

Code:

SetEnvIf Request_URI "\.gif$" imaginer
SetEnvIf Request_URI "\.jpg$" imaginer


Order deny,allow
Allow from env=imaginer
Allow from 71.254.148.228
Deny from all

[V_RocKs]

You can add your own image types and IP's...

And send a hooker to my door.

[Jace]

Quote:

Originally Posted by V_RocKs

Code:

SetEnvIf Request_URI "\.gif$" imaginer
SetEnvIf Request_URI "\.jpg$" imaginer


Order deny,allow
Allow from env=imaginer
Allow from 71.254.148.228
Deny from all

trying it now

will you take a midget hooker?

[V_RocKs]

Or leave my IP in it so I can hax0r your shit for you...

[V_RocKs]

Quote:

Originally Posted by Jace

trying it now

will you take a midget hooker?

No, but I will take a midget Doberman Pinscher.

[darksoul]

Code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*)?mysite1.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://(.*)?mysite2.com.*$ [NC]
RewriteRule .*\.(gif|jpg|png) - [F]

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !.*\(gif|jpg|png) [NC]
RewriteCond %{REMOTE_ADDR} !^127.126.125.1$ [OR]
RewriteCond %{REMOTE_ADDR} !^122.122.122.12$ 
RewriteRule .* - [F]

I haven't tested it but should be close to the working version

[Jace]

Quote:

Originally Posted by V_RocKs

Code:

SetEnvIf Request_URI "\.gif$" imaginer
SetEnvIf Request_URI "\.jpg$" imaginer


Order deny,allow
Allow from env=imaginer
Allow from 71.254.148.228
Deny from all

WORKED!!!!

thanks so much man, I owe ya one

[V_RocKs]

Now one thing you MIGHT have a problem with is if someone knows what you set the environment variable to, they can just set it themselves in the request... Which is why darksoul did his the correct way...

I just don't know that shit that well...

[V_RocKs]

Of course if they know the word you chose, they already have enough access to fuck you over...

[Jace]

Quote:

Originally Posted by V_RocKs

Of course if they know the word you chose, they already have enough access to fuck you over...

i can just change that word to something else? "imaginer"

[V_RocKs]

ImagineThat.... ;)

[raymor]

Be aware that the crackers can and probably will at some point just spoof the referer
with a bit of JavaScript. Checking the referer will stop the casual user who doesn't
know anything, but it's not any kind of real security.

I know you said you can't do this, but I bet you can, so I'd take another look at what
other people suggested.
first symlink domain.com/cp/images/ to domain.com/public/images/ or better eachsite.com/members/images/
then protect domain.com/cp/
then search and replace the links from domain.com/cp/images/ to just /members/images/

I can't think of any possible scenario where a symlink wouldn't do the job.
The only thing I can think of is you had a $15 / month hosting account with no shell
access and and no customer support, making it hard to actually create the symlink.
Somehow I don't think that what you have, though. Still even then it takes 45 seconds
to write a script that creates the symlink.

If you symlink from each members' site it also has the enormous advantage of avoiding
all kinds of other problems you are going to have down the road if the URLs used for the
pics don't match their logical locations, ie. as part of each site.

If you can;t use a symlink to another domain or at least another directory I'm really
currious why that could possibly be. I'm also curious about what kind of POS CMS
you bought that caused all these problems.

[darksoul]

Quote:

Originally Posted by raymor

2much2quote

you would've spared yourself the shame if you read/understood the thread.

The referer is checked only if the file type is an image for anything else
the access is allowed only from two ips.
they can spoof all they want.

[munki]

The answer is 42

[V_RocKs]

Quote:

Originally Posted by raymor

Be aware that the crackers can and probably will at some point just spoof the referer
with a bit of JavaScript. Checking the referer will stop the casual user who doesn't
know anything, but it's not any kind of real security.

I know you said you can't do this, but I bet you can, so I'd take another look at what
other people suggested.
first symlink domain.com/cp/images/ to domain.com/public/images/ or better eachsite.com/members/images/
then protect domain.com/cp/
then search and replace the links from domain.com/cp/images/ to just /members/images/

I can't think of any possible scenario where a symlink wouldn't do the job.
The only thing I can think of is you had a $15 / month hosting account with no shell
access and and no customer support, making it hard to actually create the symlink.
Somehow I don't think that what you have, though. Still even then it takes 45 seconds
to write a script that creates the symlink.

If you symlink from each members' site it also has the enormous advantage of avoiding
all kinds of other problems you are going to have down the road if the URLs used for the
pics don't match their logical locations, ie. as part of each site.

If you can;t use a symlink to another domain or at least another directory I'm really
currious why that could possibly be. I'm also curious about what kind of POS CMS
you bought that caused all these problems.

You = Tool...

The referrer is NEVER checked... The requested URI is... You can't spoof that or the spoof is what you are asking for... Kind of like asking for coke and getting a coke... But if you spoof and ask for pepsi, well fine then, you get a pepsi (if it isn't denied to your IP address)...

[raymor]

Quote:

Originally Posted by V_RocKs

You = Tool...

The referrer is NEVER checked... The requested URI is.

You = can't read. Or do you think that the three lines that say "HTTP_REFERER" are
checking soemthing other than the referer?

Quote:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*)?mysite1.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://(.*)?mysite2.com.*$ [NC]
RewriteRule .*\.(gif|jpg|png) - [F]

Be careful ridiculing the guys who invented this shit, you are likely to make a fool of yourslf.

[raymor]

Quote:

Originally Posted by V_RocKs

You = Tool...

The referrer is NEVER checked... The requested URI is.

You = can't read. Or do you think that the three lines that say "HTTP_REFERER" are
checking something other than the referer?

Quote:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*)?mysite1.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://(.*)?mysite2.com.*$ [NC]
RewriteRule .*\.(gif|jpg|png) - [F]

Be careful ridiculing the guys who invented this shit, you are likely to make a fool of yourself.

[Jace]

jesus you all

this is on a domain that is not public, not searched, not indexed, etc...it is a domain that ONLY has this control panel

and it isn't even in a typical folder, it is in something like domain.com/beegdjmf

so, what was brought up first, was perfect, my tech at nationalnet even said so ;)

[raymor]

Quote:

Originally Posted by darksoul

you would've spared yourself the shame if you read/understood the thread.

The referer is checked only if the file type is an image for anything else
the access is allowed only from two ips.
they can spoof all they want.

So you don't mind if I hotlink all of your images? Thanks!

[just a punk]

BTW http://www.htaccesstools.com/ is a great resource for almost every .htaccess-related task. Must be bookmarked by everyone IMHO.