Re: .htaccess authorization on referer

[Danny Sauer <sauer@cloudmaster.com>]

On Mon, Dec 17, 2001 at 02:18:19PM -0600, charles@lunarmedia.net wrote:
> i'm working on getting a .htaccess file to authenticate based on a referer 
> url. i have:
> 
> <Limit GET>                                                                
>   order deny,allow
>   deny from all
>     referer allow from http://yourdomain.com/*
>     OnDeny http://yourdomain.com/warningpage.htm
> </Limit> 
> 
> i'm getting the following error when i try using this syntax for auth:
> 
>   Invalid command 'referer', perhaps mis-spelled or defined by a module 
>   not included in the server configuration
> 
> is my syntax incorrect? or does it rely on a module? and if so does anyone 
> know which so i can verify its in my config?

I'm pretty sure that's incorrect syntax...  What you probably want is more
like this, assuming you have the mod_setenvif module set up (it's a base
module):

SetEnvIfNoCase Referer "^http://yourdomain\.com/" good_referer=1
order allow,deny
allow from env=good_referer
OnDeny http://yourdomain.com/warningpage.htm

In a .htaccess, you really don't need the <Limit> container, BTW, unless you
want GET/POST/HEAD/etc treated differently - which you usually don't (but
might, I guess, if you use a POST login page that redirects to a GET page
later).  If you do use a limit, leave the setenvif outside of the container.

--Danny

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.