-1

I have a script that runs as an external question on Mechanical Turk. On MTurk, these external questions run as an iFrame on a page on mturk.com.

I want to make it so that the directory that this script is in is only accessible from a few select IPs and from iFrames located on mturk.com. Can I include this in a directory configuration on my file for the site?

For example:

<Directory /blah/blah/blah/directory>
    Order deny,allow
    Deny from all
    Allow from 123.456.789.0
    Allow from 98.765.432.10
    Allow from mturk.com
</Directory>

Will this consistently work to only allow traffic from the iFrame on that page?

Nick Anderegg
  • 107
  • 1
  • 5
  • What version of apache are you using? On what OS? – pgoetz Sep 21 '15 at 19:39
  • What are you trying to protect against? It makes a huge difference. – David Schwartz Sep 21 '15 at 19:46
  • @pgoetz Apache 2.4.7 on Ubuntu 14.4. – Nick Anderegg Sep 21 '15 at 20:09
  • @DavidSchwartz There's no good way to authenticate access to script, so I don't want anyone to be able to just type in the URL and access the script directly unless they're coming from Mechanical Turk. Someone could look at the iFrame's URL, go directly to it, and then type in gibberish in all the response fields. – Nick Anderegg Sep 21 '15 at 20:11

1 Answers1

0

It looks like you've copied the syntax from Apache 2.2, which doesn't work in 2.4.

This isn't exactly your use case, but it should get you started. The relevant syntax is

Require IP 123.456.789.0 98.765.432.10

http://httpd.apache.org/docs/trunk/mod/mod_authz_host.html

Apache 2.4 - How to restrict traffic (by IP address) to all requests except the base path?

Community
  • 1
pgoetz
  • 435
  • 1
  • 8
  • 15
  • But could this restrict traffic to only allow the page to be displayed in a certain IFrame displayed on a certain page? What I'm unsure of is if the request will appear to be coming from the page in which the IFrame is embedded or from the client that opened the parent page. – Nick Anderegg Sep 21 '15 at 20:49
  • I am almost certain that there won't be any way for you to control for this. How the contents are assembled is a client side issue. Also, the request will be coming from the parent that opened the page; how else could it work? – pgoetz Sep 22 '15 at 21:06
  • I have Apache 2.4 and the Order, Allow, Deny work just fine. – Alexis Wilke Jun 30 '16 at 20:04