0

I have an existing web site that needs to link to a pdf file on our web-server. The problem is, ONLY users who have been authenticated by logging into the site should be able to view the file. I have tried everything I can think of and I just can not figure out how to configure apache to do what I want. Either it allows everyone to access the file, or no one has access.

How do I set up the config such that only requests from foo.bar.com are authorized to get the file from blah.baz.com?

Update In my config file for my site I currently have

  <Directory "/usr/local/web/static/foo">
  Order allow,deny
  Deny from all
  Allow from foo.bar.com
  </Directory>

When I examine the failing request in the chrome console I can see it contains

Host:blah.baz.com
Referer:http://foo.bar.com/
pbuchheit
  • 139
  • 10
  • 1
    are you talking about referal foo.bar.com? so request coming from this domain foo.bar.com?, if the answer is yes, use mod_rewrite – c4f4t0r Jul 17 '17 at 15:37
  • I added some more details to my post. How would I use mod_rewrite to fix the authorization? – pbuchheit Jul 17 '17 at 17:29
  • @c4f4t0r I ended up not needing to use mod_rewrite, but your suggestion would have worked. If you post an answer with some additional details, I will mark it as the solution. – pbuchheit Jul 19 '17 at 12:32

3 Answers3

1

I ended up using the 'Referer' environment variable to check if the request was coming from the correct site. So for the example I gave above the config would look like:

ServerName blah.baz.com
DocumentRoot /usr/local/web/static
SetEnvIf Referer foo.bar.com localreferer
<Directory "/usr/local/web/static/foo">
  Order deny,allow
  Deny from all
  Allow from env=localreferer
</Directory>
pbuchheit
  • 139
  • 10
1

You can do that with mod_write in this way:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !pippo\.com [NC]
RewriteCond %{REQUEST_URI} ^/foo
RewriteRule .* - [F]

Try to fake referer:

curl --referer http://www.pluto.com/bot.html http://localhost/foo
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>
c4f4t0r
  • 5,149
  • 3
  • 28
  • 41
0

The file should be served through your application where its contents are read from the disk then transferred to the user. However, since there is an overhead when using this approach, many are now recommending using Apache's mod_xsendfile.

To summarize, you will need to modify your application to do what you want but using the mod_xsendfile may minimize the amount of change that needs to be done on code.

You may refer to the following link as a guide for this: https://codeutopia.net/blog/2009/03/06/sending-files-better-apache-mod_xsendfile-and-php/

Carlo Miguel Cruz
  • 431
  • 4
  • 12