A couple of .htaccess questions

B

blakec

New Member
Messages
29
Reaction score
0
Points
0
I have been trying to do a couple of things using .htaccess for a while, but have not been able to figure them out.

First, I would like a file to be accessible by no one EXCEPT the server. For example, if I have a page using AJAX to display "main.html" on the same page, I don't want anyone to be able to visit http://example.com/main.html to just view it, but I still want the server to be able to access it and use AJAX to display it on the same page.

I think "server" is the term I'm looking for, at least. This is what I've tried:
Code: 
<Files "main.html">
deny from all
allow from (my server's IP address here, which I found using PHP: "echo $_SERVER['SERVER_ADDR']")
</Files>

Second, I want to use .htaccess and mod_rewrite to direct visitors that try to go to a short URL to a longer URL. For example, if my visitors go to http://example.com/dir, I want them to be redirected to http://example.com/longer/dir WITHOUT changing what they see in the address bar.

I did this before in a previous site design, where example.com/someplace directed them to example.com/index.php?p1=someplace, or something like that, and the text in the address bar did not change; it stayed at example.com/someplace.

I know how to direct the user to another URL AND have the text in the address bar change, but I don't want the text in the address bar to change.

Any ideas on either of these issues?

Thanks!
Blake
 
xav0989

xav0989

Community Public Relation
Community Support
Messages
4,467
Reaction score
95
Points
0
The server always has access to the files, as it views them through the filesystem, not internet. If you deny from all except the server's address, it won't change a thing.
Next, AJAX is a client-side language. This means that the page is fetched just as a regular page. denying from all will simply stop everybody from viewing the main.html page.
 
descalzo

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
First question:
If yous send a request via Ajax, it is still a request. If you deny me from my browser, it will deny the Ajax request.
You can try restricting access by checking the HTTP_REFERER header in a rewrite rule in .htacces. But that can be faked.
You can have the page request main_gate.php and then check that the HTTP_X_REQUESTED_WITH header is set an equal to XMLHttpRequest (ie it is being requested by an Ajax call), check the REFERER, and if everything checks out, include the page (which you store outside of your document root).

Second Question:
Use mod_rewrite in .htaccess

Edited to correct error:

Code: 
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} someplace$ [NC]
RewriteRule ^someplace$ index.php?p1=someplace
</IfModule>

the URL in the address bar will be www.example.com/someplace
 
Last edited:
B

blakec

New Member
Messages
29
Reaction score
0
Points
0
So, do you mean that if I use .htaccess like this:
Code: 
<Files "main.html">
deny from all
allow from (server IP address)
</Files>
I can't use AJAX to access main.html? (That's what I'm trying to do, but it's not working.)

Is there ANY way that I can use AJAX to include main.html on a different page, but disallow anyone from actually visiting main.html?

EDIT: Descalzo, could you explain how each line works? I need to adapt it a little, but am not sure how, since I don't know what does what in your .htaccess code.
 
Last edited:
descalzo

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
Code:
blakec said:
So, do you mean that if I use .htaccess like this:
Code: 
<Files "main.html">
deny from all
allow from (server IP address)
</Files>
I can't use AJAX to access main.html? (That's what I'm trying to do, but it's not working.)

Is there ANY way that I can use AJAX to include main.html on a different page, but disallow anyone from actually visiting main.html?
Click to expand...

When you request a file via AJAX, where do you think the request comes from?
It comes from your browser.
Not from the server.
Your browser is requesting the server to send the page.
Same as if you clicked on a link to main.html
Same as if you enetered the URL into the address bar.
The only way the request will be allowed, giving the above configuration is if your browser is on the machine running the server.

Edit: ADD:

%{REQUEST_URI} is the part of the url after the first /, ie if
http://forums.x10hosting.com/editpost.php?do=updatepost&p=579843
%{REQUEST_URI} would be editpost.php?do=updatepost&p=579843
Code: 
<IfModule mod_rewrite.c>   MAKE SURE APACHE HAS THE MOD LOADED, USUALLY IS
RewriteEngine On     TELL THE MOD TO START WORKING
RewriteCond %{REQUEST_URI} someplace$ [NC]  IF URI ENDS IN someplace , NC == case insensitive
RewriteRule ^someplace$ index.php?p1=someplace  REPLACE THE STRING someplace WITH index.php?p1=someplace  
</IfModule>
 
Last edited:
B

blakec

New Member
Messages
29
Reaction score
0
Points
0
Okay, thank you. I think I understand all of the .htaccess stuff now, but it still changes the URL to the actual URL, while I want it to stay as what the visitor typed in. Any help?

EDIT: If it makes things easier to know this: I'm trying to make example.com/aaa redirect to example.com/bbb/ccc.

I also need example.com/aaa/ddd.php to redirect to example.com/bbb/ccc/ddd.php; ALL without changing what the visitor sees in the address bar.
 
Last edited:
descalzo

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
blakec said:
Okay, thank you. I think I understand all of the .htaccess stuff now, but it still changes the URL to the actual URL, while I want it to stay as what the visitor typed in.

....

ALL without changing what the visitor sees in the address bar.
Click to expand...


I

give

up
 
M

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
blakec said:
Okay, thank you. I think I understand all of the .htaccess stuff now, but it still changes the URL to the actual URL, while I want it to stay as what the visitor typed in. Any help?

EDIT: If it makes things easier to know this: I'm trying to make example.com/aaa redirect to example.com/bbb/ccc.

I also need example.com/aaa/ddd.php to redirect to example.com/bbb/ccc/ddd.php; ALL without changing what the visitor sees in the address bar.
Click to expand...

Under Apache, you can have internal rewrites without external redirects. External redirects return one of the 3XX HTTP response codes (read the HTTP 1.1 specification for more on HTTP responses) to the client, which causes the browser to display the new URI and request it. With mod_rewrite, you get an external redirect if you explicitly use a redirect flag (e.g. [R],[R=301]), or implicitly when the substitution in the RewriteRule is an absolute URI, with scheme and hostname. For example, both of the following RewriteRules result in external redirects:
Code: 
RewriteRule ^/?foo$ /bar [R=301]
RewriteRule ^/?foo$  http://www.example.com/bar

Otherwise, an internal rewrite shouldn't result in a 3XX response; it merely changes the pathname corresponding to a given URI. Compare:
Code: 
RewriteRule ^/?foo$ /bar

Read Apache's documentation on mod_rewrite or google for more info.


As for limiting access to content, you could try to use the Referer [sic] header, but many people block it out of privacy concerns, which means they couldn't access the protected content. Also, site rippers usually send an appropriate Referer header, so this technique won't protect you from rippers (assuming that's your goal).

You could also pass some secret via a header or by POSTing it in the AJAX request, but a knowledgeable user could easily extract that information and get the page.

Why is this task important to you? If a visitor can view information, they should be able to view part of that information. From this principle (and in the absence of an overall goal), I'd say the desire to limit accessing content solely to AJAX requests is misguided.
 
You must log in or register to reply here.
Top