3

I'm trying to set up a htaccess file that would accomplish the following:

Only allow my website to be viewed if the viewing user is coming from a specific domain (link)

So, for instance. I have a domain called. protect.mydomain.com . I only want people coming from a link on unprotected.mydomain.com to be able to access protect.mydomain.com.

The big outstanding issue I have is that if you get to protect.mydomain.com from unprotected.mydomain.com and click on a link in the protect.mydomain.com that goes to another page under protect.mydomain.com then I get sent back to my redirect because the http_referer is protect.mydomain.com . So to combat that I put in a check to allow the referrer to be protect.mydomain.com as well. It's not working and access is allowed from everywhere. Here is my htaccess file. (All this is under https)

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^https://(.+\.)*mydomain\.com
RewriteCond %1 !^(protect|unprotected)\.$ 
RewriteRule ^.*$ https://unprotected.mydomain.com/ [R=301,L]
Angel Politis
  • 10,955
  • 14
  • 48
  • 66
Josh
  • 301
  • 5
  • 15

1 Answers1

6

You are matching your referer against ^https://(.+\.)*mydomain\.com. Which means if some completely other site, say http://stealing_your_images.com/ links to something on protect.mydomain.com, the first condition will fail, thus the request is never redirected to https://unprotected.mydomain.com/. You want to approach it from the other direction, only allow certain referers to pass through, then redirect everything else:

RewriteEngine On
RewriteBase /

# allow these referers to passthrough
RewriteCond %{HTTP_REFERER} ^https://(protect|unprotected)\.mydomain\.com
RewriteRule ^ - [L]

# redirect everything else
RewriteRule ^ https://unprotected.mydomain.com/ [R,L]
Jon Lin
  • 142,182
  • 29
  • 220
  • 220
  • @Josh Be Aware from being faked with http_referer with cumstom headers http://stackoverflow.com/questions/21807604/preventing-curl-referrer-spoofing – Hichem Mar 15 '15 at 11:27