Limiting access to a folder to just localhost?

Heya folks, I am trying to limit access to a folder within htdocs,
lets call it htdocs/gallery. How do I tell the server, via .htaccess,
to only allow the localhost to access the files within htdocs/gallery?

Here is my .htaccess:

<Limit GET POST>
allow from localhost
order deny,allow
deny from ALL
</Limit>

From the logs, it looks like when someone is trying to access a page,
say index.html, it passes the IP visiting the page for authentication,
and therefore it fails. I want only local code to be able to access
files within the directory, to prevent anyone from linking directly to
any files located within htdocs/gallery.

Thanks!

On 12 Jan 2004 14:05:14 -0800, Steve Best <steve@technaughty.com> wrote:
> Heya folks, I am trying to limit access to a folder within htdocs,
> lets call it htdocs/gallery. How do I tell the server, via .htaccess,
> to only allow the localhost to access the files within htdocs/gallery?
>
> Here is my .htaccess:
>
><Limit GET POST>
> allow from localhost
> order deny,allow
> deny from ALL
></Limit>

See apache docs for 'Order'. Note that default for Order Allow,Deny
is deny, so it is simply (lose the Limit tags):

Order Allow,Deny
Allow from localhost

Or for any loopback IP could be 'Allow from 127'.

> From the logs, it looks like when someone is trying to access a page,
> say index.html, it passes the IP visiting the page for authentication,
> and therefore it fails. I want only local code to be able to access
> files within the directory, to prevent anyone from linking directly to
> any files located within htdocs/gallery.

I think your 'Order Allow,Deny' might cancel the previous 'allow from
localhost', therefore maybe only the 'deny from all' applies.

First you say localhost, then local code. If you wanted contents of a
directory to only be passed by a script in another directory (and not at
all directly accessible by http) it would be:

Order Allow,Deny
Deny from all

--
David Efflandt - All spam ignored http://www.de-srv.com/

> I think your 'Order Allow,Deny' might cancel the previous 'allow from
> localhost', therefore maybe only the 'deny from all' applies.
>
> First you say localhost, then local code. If you wanted contents of a
> directory to only be passed by a script in another directory (and not at
> all directly accessible by http) it would be:
>
> Order Allow,Deny
> Deny from all

That doesnt work because even if the image is linked from a page in
htdocs, the request for the image is still coming from the client IP.
Any other suggestions?

On 13 Jan 2004 12:11:37 -0800, Steve Best <steve@technaughty.com> wrote:
>> I think your 'Order Allow,Deny' might cancel the previous 'allow from
>> localhost', therefore maybe only the 'deny from all' applies.
>>
>> First you say localhost, then local code. If you wanted contents of a
>> directory to only be passed by a script in another directory (and not at
>> all directly accessible by http) it would be:
>>
>> Order Allow,Deny
>> Deny from all
>
> That doesnt work because even if the image is linked from a page in
> htdocs, the request for the image is still coming from the client IP.
> Any other suggestions?

Define doesn't work. As long as AllowOverride that covers that dir
includes Limit (or All), the above in .htaccess would deny all http access
to that directory (or any subdirectories) from anywhere. Of course local
shell users or CGI scripts of others might be able to access it, depending
upon dir ownership/permissions and whether suexec is being used. But
nothing in that dir would be directly accessible by URL.

--
David Efflandt - All spam ignored http://www.de-srv.com/