Hi,
The easiest way to achieve what you want it probably through a
combination of Apache access control and rewrites.
I will provide the following examples to try, test them and see if
they are sufficent.
For each of the options below, there are two ways the can generally be
applied.
1) <Directory> blocks.
2) .htaccess files.
The first can be incorporated within the second.
For example, say my web-root is /home/sycophant/public_html
I can create a file in there called .htaccess (this may depend on
server configuration) which can contain Apache directives. These
directives will affect that directory and any sub-directories, until
they are overridden (by another .htaccess with different rules, for
example)
The <Directory> method can be used in a .htaccess file, or within the
Apache config files. It is used like so:
<Directory /home/sycophant/public_html>
Directive Value
Directive Value
</Directory>
Again, this will apply to sub directories until it is overridden.
Make files and directories under cg-bin (cgi-bin?) inaccessable:
.htaccess:
Create a .htaccess in the cgi-bin directory and add the directives
below.
<Directory>:
Create a <Directory> block for the cgi-bin directory and add the
directives below.
Directives:
Order Deny,Allow
Deny From All
Allow From None
Restrict access to resources in certain directories:
For each directory, create either a .htaccess or <Directory>
configuration to execute the following directives
Method 1 - Requires mod_access and mod_setenvif
Directives:
Options -Indexes
SetEnvIf Referer ^http://www.yoursitename.com/ allow_load
Order Deny,Allow
Deny From All
Allow From env=allow_load
Method 2 - Require mod_rewrite
Directives:
Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://www.yoursitename.com/
RewriteRule (.*) $1 [F]
This should disallow the direct accessing of any of the files within
the directory. Also, the addition of the option "-Indexes" means that
people will not be presented with a directory index when visiting a
directory without an index.html.
The limitation with the above methods of restricting access to the
resources is that a very determined person can still get them - they
are relying on the HTTP header 'Referer' to determine if the object is
being called from within one of your own pages or not.
If you administer your own server, all of these implementations should
be quite easy to implement. However, if you are on a shared server
which you do not control, then you may find some of the options
restricted by the server's administrator.
Also, overall there is nothing you can do really to really enforce
restrictions on web content. If it is in a web-accessible directory,
in can generally be retrieved. The difference between a graphic or
file being called by your page, and being downloaded by a downloader
is just a few HTTP headers. And those can be faked.
Check out the following Apache manual pages, all are found easily from
the main Apache documentation ( http://httpd.apache.org/docs/ ):
Mod_access - Access control (Order, Deny, Allow etc)
http://httpd.apache.org/docs/mod/mod_access.html
Mod_setenvif - SetEnvIf - environment variable setting
http://httpd.apache.org/docs/mod/mod_setenvif.html
Mod_rewrite - URL Rewriting
http://httpd.apache.org/docs/mod/mod_rewrite.html
Mod_rewrite guide - Practical rewriting examples
http://httpd.apache.org/docs/misc/rewriteguide.html
Options directive - Set various per-directory options
http://httpd.apache.org/docs/mod/core.html#options
<Directory> directive - Per directory configuration
http://httpd.apache.org/docs/mod/core.html#directory
.htaccess tutorial
http://apache-server.com/tutorials/ATusing-htaccess.html
I hope this helps.
Regards,
Sycophant-ga |
