SetEnvIf Referer

This is a discussion on SetEnvIf Referer within the Apache Web Server forums, part of the Web Server and Related Forums category; Hi All, I been trying to get this to work in apache 1.3.29_3 with freebsd 4.10 with ...


Go Back   Usenet Forums > Web Server and Related Forums > Apache Web Server

Reload this Page SetEnvIf Referer

FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
Page 1 of 2 1 2 >

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 06-04-2004
jwoo
 
Posts: n/a
Default SetEnvIf Referer
Hi All,

I been trying to get this to work in apache 1.3.29_3 with freebsd 4.10
with no luck. Basically I want users to only be able to access this
site if they come from a certain site (referer). This works perfectly
fine when accessing *.htm, *.html, *.doc files but bombs out when
accessing *.pdf files (It just loads a blank page) If I take out the
<Directory> directive, everything loads fine whether it be *.htm,
*.html, *.doc or *.pdf. Only with the <Directory> directive in the
config it bombs out. Below is the log entries made when accessing the
site and config for the <VirtualHost> that is having the problem.
Thanks in advance!

testpdf-access.log:
10.2.1.30 - - [03/Jun/2004:14:26:51 -1000] "GET /test.pdf HTTP/1.1"
403 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
NetCaptor 7.5.1)"

testpdf-error.log:
[Thu Jun 3 14:26:51 2004] [error] [client 10.2.1.30] client denied by
server configuration: /usr/local/www/data-dist/testpdf/test.pdf

<VirtualHost *>
ServerAdmin root@server.mydomain.com
DocumentRoot /usr/local/www/data-dist/testpdf
ServerName server.mydomain.com
ErrorLog /var/log/testpdf-error.log
CustomLog /var/log/testpdf-access.log combined
SetEnvIf Referer "^http://referal-server.mydomain.com/"
local_referal
<Directory "/usr/local/www/data-dist/testpdf">
Order Deny,Allow
Deny from all
Allow from env=local_referal
</Directory>
</VirtualHost>
  #2 (permalink)  
Old 06-04-2004
Purl Gurl
 
Posts: n/a
Default Re: SetEnvIf Referer
jwoo wrote:

(snipped)

> fine when accessing *.htm, *.html, *.doc files but bombs out when
> accessing *.pdf files (It just loads a blank page)

> testpdf-error.log:
> [Thu Jun 3 14:26:51 2004] [error] [client 10.2.1.30] client denied by
> server configuration: /usr/local/www/data-dist/testpdf/test.pdf

> SetEnvIf Referer "^http://referal-server.mydomain.com/" local_referal

> Allow from env=local_referal


Test to be sure your custom environment variable is actually set. This
is most likely your problem. Does your referer [sic] variable actually
end with a trailing right hand slash?

Write a test jig to print your environment variables to determine what
is truly there.

Check your mime.types file for: application/pdf pdf

Check to be sure your mime module is being loaded on Apache boot.


A work around .conf / .htaccess entry which "sometimes" helps:

AddType application/octet-stream pdf


General information on mime types:

http://www.dartmouth.edu/web/files/mime.html


Purl Gurl
  #3 (permalink)  
Old 06-04-2004
jwoo
 
Posts: n/a
Default Re: SetEnvIf Referer
Purl Gurl <purlgurl@purlgurl.net> wrote in message news:<40C005A6.FA3A9FB0@purlgurl.net>...
> jwoo wrote:
>
> (snipped)
>
> > fine when accessing *.htm, *.html, *.doc files but bombs out when
> > accessing *.pdf files (It just loads a blank page)
>
> > testpdf-error.log:
> > [Thu Jun 3 14:26:51 2004] [error] [client 10.2.1.30] client denied by
> > server configuration: /usr/local/www/data-dist/testpdf/test.pdf
>
> > SetEnvIf Referer "^http://referal-server.mydomain.com/" local_referal
>
> > Allow from env=local_referal
>
>
> Test to be sure your custom environment variable is actually set. This
> is most likely your problem. Does your referer [sic] variable actually
> end with a trailing right hand slash?
>
> Write a test jig to print your environment variables to determine what
> is truly there.
>
> Check your mime.types file for: application/pdf pdf
>
> Check to be sure your mime module is being loaded on Apache boot.
>
>
> A work around .conf / .htaccess entry which "sometimes" helps:
>
> AddType application/octet-stream pdf
>
>
> General information on mime types:
>
> http://www.dartmouth.edu/web/files/mime.html
>
>
> Purl Gurl


I'm almost certain that the custom environment variable is working.
If I type in the url on my browser, I get access denied -- but if I
create a link from the referal server, I can get to the site. I
tested this with an html page and that loads fine. Only with the pdf
is where things starts to get screwy. I'll try what you mentioned and
see how that goes. Thanks.
  #4 (permalink)  
Old 06-05-2004
jwoo
 
Posts: n/a
Default Re: SetEnvIf Referer
mynewsgroup2k5@yahoo.com (jwoo) wrote in message news:<4af0710f.0406041011.5784bbe4@posting.google. com>...
> Purl Gurl <purlgurl@purlgurl.net> wrote in message news:<40C005A6.FA3A9FB0@purlgurl.net>...
> > jwoo wrote:
> >
> > (snipped)
> >
> > > fine when accessing *.htm, *.html, *.doc files but bombs out when
> > > accessing *.pdf files (It just loads a blank page)
>
> > > testpdf-error.log:
> > > [Thu Jun 3 14:26:51 2004] [error] [client 10.2.1.30] client denied by
> > > server configuration: /usr/local/www/data-dist/testpdf/test.pdf
>
> > > SetEnvIf Referer "^http://referal-server.mydomain.com/" local_referal
>
> > > Allow from env=local_referal
> >
> >
> > Test to be sure your custom environment variable is actually set. This
> > is most likely your problem. Does your referer [sic] variable actually
> > end with a trailing right hand slash?
> >
> > Write a test jig to print your environment variables to determine what
> > is truly there.
> >
> > Check your mime.types file for: application/pdf pdf
> >
> > Check to be sure your mime module is being loaded on Apache boot.
> >
> >
> > A work around .conf / .htaccess entry which "sometimes" helps:
> >
> > AddType application/octet-stream pdf
> >
> >
> > General information on mime types:
> >
> > http://www.dartmouth.edu/web/files/mime.html
> >
> >
> > Purl Gurl
>
>
> I'm almost certain that the custom environment variable is working.
> If I type in the url on my browser, I get access denied -- but if I
> create a link from the referal server, I can get to the site. I
> tested this with an html page and that loads fine. Only with the pdf
> is where things starts to get screwy. I'll try what you mentioned and
> see how that goes. Thanks.


I did a test to print out the referer environment variable and it
appeared correctly: http://referal-server.mydomain.com/B...h/MoreBlahBlah
so I know the referer is getting passed. What stumps me is that it
will load *.htm, *.html, *.doc and some other but ONLY fails when
loading pdf files. Using the .htaccess didn't help either. Any other
ideas or suggestions? Any explanation why this is happening? Its
beginning to piss me off. Heh!
  #5 (permalink)  
Old 06-08-2004
jwoo
 
Posts: n/a
Default Re: SetEnvIf Referer
mynewsgroup2k5@yahoo.com (jwoo) wrote in message news:<4af0710f.0406041613.1f4833e@posting.google.c om>...
> mynewsgroup2k5@yahoo.com (jwoo) wrote in message news:<4af0710f.0406041011.5784bbe4@posting.google. com>...
> > Purl Gurl <purlgurl@purlgurl.net> wrote in message news:<40C005A6.FA3A9FB0@purlgurl.net>...
> > > jwoo wrote:
> > >
> > > (snipped)
> > >
> > > > fine when accessing *.htm, *.html, *.doc files but bombs out when
> > > > accessing *.pdf files (It just loads a blank page)
>
> > > > testpdf-error.log:
> > > > [Thu Jun 3 14:26:51 2004] [error] [client 10.2.1.30] client denied by
> > > > server configuration: /usr/local/www/data-dist/testpdf/test.pdf
>
> > > > SetEnvIf Referer "^http://referal-server.mydomain.com/" local_referal
>
> > > > Allow from env=local_referal
> > >
> > >
> > > Test to be sure your custom environment variable is actually set. This
> > > is most likely your problem. Does your referer [sic] variable actually
> > > end with a trailing right hand slash?
> > >
> > > Write a test jig to print your environment variables to determine what
> > > is truly there.
> > >
> > > Check your mime.types file for: application/pdf pdf
> > >
> > > Check to be sure your mime module is being loaded on Apache boot.
> > >
> > >
> > > A work around .conf / .htaccess entry which "sometimes" helps:
> > >
> > > AddType application/octet-stream pdf
> > >
> > >
> > > General information on mime types:
> > >
> > > http://www.dartmouth.edu/web/files/mime.html
> > >
> > >
> > > Purl Gurl
> >
> >
> > I'm almost certain that the custom environment variable is working.
> > If I type in the url on my browser, I get access denied -- but if I
> > create a link from the referal server, I can get to the site. I
> > tested this with an html page and that loads fine. Only with the pdf
> > is where things starts to get screwy. I'll try what you mentioned and
> > see how that goes. Thanks.
>
>
> I did a test to print out the referer environment variable and it
> appeared correctly: http://referal-server.mydomain.com/B...h/MoreBlahBlah
> so I know the referer is getting passed. What stumps me is that it
> will load *.htm, *.html, *.doc and some other but ONLY fails when
> loading pdf files. Using the .htaccess didn't help either. Any other
> ideas or suggestions? Any explanation why this is happening? Its
> beginning to piss me off. Heh!

Anybody? Anything? Please.
  #6 (permalink)  
Old 06-11-2004
Joachim Ring
 
Posts: n/a
Default Re: SetEnvIf Referer
> Anybody? Anything? Please.

have a look wether these requests come from the browser or acroread
itself. also make very shure that a referer is in the request. you
could use proxomitron or the like to check, or the forensiclog
directive of apache in a test instance.

joachim
  #7 (permalink)  
Old 06-14-2004
lexvvv
 
Posts: n/a
Default Re: SetEnvIf Referer
On 11 Jun 2004 02:23:26 -0700, Joachim Ring <jring@web.de> wrote:

>> Anybody? Anything? Please.
>
> have a look wether these requests come from the browser or acroread
> itself. also make very shure that a referer is in the request. you
> could use proxomitron or the like to check, or the forensiclog
> directive of apache in a test instance.
>
> joachim

is the acrobat reader 5.0 msie plugin enabled so that you can look at pdf
files in your browser?
  #8 (permalink)  
Old 06-14-2004
jwoo
 
Posts: n/a
Default Re: SetEnvIf Referer
jring@web.de (Joachim Ring) wrote in message news:<3ae246c1.0406110123.669be743@posting.google. com>...
> > Anybody? Anything? Please.
>
> have a look wether these requests come from the browser or acroread
> itself. also make very shure that a referer is in the request. you
> could use proxomitron or the like to check, or the forensiclog
> directive of apache in a test instance.
>
> joachim

I'm sure the request has the referal in it - atleast on the first
request. I also had a php script return the referral address to me to
test it and all came back positive.

From the log, it looks like there are more than one request being made
to load the pdf file. Anything from the 2nd request and on has no
referal associated with it. Therefore, the request is being denied?
Any insight on how to solve this issue. Acces Log entry below:

<snip>
10.2.1.30 - - [10/Jun/2004:12:07:42 -1000] "GET /test.pdf HTTP/1.1"
200 98304 "http://referal-server.mydomain.com" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; NetCaptor 7.5.1)"
10.2.1.30 - - [10/Jun/2004:12:07:42 -1000] "GET /test.pdf HTTP/1.1"
403 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
NetCaptor 7.5.1)"
<end snip>
  #9 (permalink)  
Old 06-14-2004
jwoo
 
Posts: n/a
Default Re: SetEnvIf Referer
lexvvv <loco_boyau@yahoo.com.au> wrote in message news:<opr9kvalh3rs22av@news.optusnet.com.au>...
> On 11 Jun 2004 02:23:26 -0700, Joachim Ring <jring@web.de> wrote:
>
> >> Anybody? Anything? Please.
> >
> > have a look wether these requests come from the browser or acroread
> > itself. also make very shure that a referer is in the request. you
> > could use proxomitron or the like to check, or the forensiclog
> > directive of apache in a test instance.
> >
> > joachim
>
> is the acrobat reader 5.0 msie plugin enabled so that you can look at pdf
> files in your browser?


Yes, the plugin is enabled. If I turn off all security on apache, the
pdf file loads fine. My previous reply noted that there are more than
one request being made to load the pdf file.
  #10 (permalink)  
Old 06-14-2004
Purl Gurl
 
Posts: n/a
Default Re: SetEnvIf Referer
jwoo wrote:

> Joachim Ring wrote:

(snipped)

> From the log, it looks like there are more than one request being made

> "GET /test.pdf HTTP/1.1" 403 286


A clear 403 Forbidden. Your server configuration is denying access.

You have included directive syntax which forbids access
or you have omitted directive syntax which allows access.

In another article you indicate, "If I turn off all security on apache...."
which is unclear as to meaning, but doing so allows access to the pdf.

So, reinsert whatever this security is, a single syntax at a time,
until you are forbidden. That syntax is your problem source.

Appears, based on your double log entry, you are banning yourself
through a lack of a referer [sic] environment variable, most
likely through use of mod_rewrite.

For many circumstances, a request comes in with a referral.
This is followed by invoking a "helper application" in
a browser, which will not have a referral. Your acrobat
reader does not provide a referral variable.

Browser -> request with referral.
Helper -> request with no referral.

Stop doing this. Use of a referral variable should _never_
be used for security. For some control, yes, but not as
a security measure.

Limit access by ip addresses, not a misspelled referral variable.


Purl Gurl
--
Corvette Mako Sharks! 56 Chevy Napco 4X4!
http://www.purlgurl.net/~godzilla/
 
Page 1 of 2 1 2 >

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 11:35 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0