|
Home > Archive > Apache Server configuration support > August 2006 > htaccess
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Michael Sgier 2006-08-14, 1:23 pm |
| Hi
i want to block direct access to javascript files. Why does this work
locally but not with my provider?
Thanks Michael
SetEnvIfNoCase Referer "^http://sgr.com/" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g|js)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>
| |
| Davide Bianchi 2006-08-14, 1:23 pm |
| On 2006-08-14, Michael Sgier <sgier@nospam.ch> wrote:
> i want to block direct access to javascript files. Why does this work
> locally but not with my provider?
Maybe because your provider doesn't allow the use of 'Files' in .htaccess?
Or he has completely disabled .htaccess? Ask him.
Davide
--
Computers are like air conditioners -- they stop working properly if you open
WINDOWS
| |
| Michael Sgier 2006-08-14, 7:24 pm |
| Salut Davide
my provider said that its to complex and that i should ask a mailing
list...Htaccess is generally enabled. Well any propositions to avoid
files? Might this be used also for securing php files?
Thanks
Micahel
--
Linuxgames: http://shop.sgier.com
| |
|
| Michael Sgier wrote:
> Salut Davide
> my provider said that its to complex and that i should ask a mailing
> list...Htaccess is generally enabled. Well any propositions to avoid
> files? Might this be used also for securing php files?
Well, PHP-files can NEVER be downloaded when the server is run correctly, so
that part is a non issue. In included pages, you could move them to a
secured/locked directory, as their included by the server that won't matter.
PHP files linked for displaying images/etc. are more tricky.
But actually, this argument is useless: Referrer cannot be trusted. It is
send by the client, and easily faked. I can simply add a false referrer
header to my HTTPD request, and all your effort has gone to waste.
Now, that wouldn't be the real problem if all your trying to do is prevent
remote linking/save some bandwidth. The problem is that it's so unreliable,
that valid visitors might be blocked, because for some reason the header
isn't sent/is not processed/whatever. It will result in a broken site for a
(small group of) visitors.
W3C actually advices User Agents to be give an option to turn it off:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html 15.1.3
"Because the source of a link might be private information or might reveal
an otherwise private information source, it is strongly recommended that the
user be able to select whether or not the Referer field is sent. For
example, a browser client could have a toggle switch for browsing
openly/anonymously, which would respectively enable/disable the sending of
Referer and From information."
Grtz,
--
Rik Wasmus
| |
| shimmyshack 2006-08-15, 1:28 am |
| Michael Sgier wrote:
> Hi
> i want to block direct access to javascript files. Why does this work
> locally but not with my provider?
> Thanks Michael
>
>
> SetEnvIfNoCase Referer "^http://sgr.com/" locally_linked=1
> SetEnvIfNoCase Referer "^$" locally_linked=1
> <FilesMatch "\.(gif|png|jpe?g|js)$">
> Order Allow,Deny
> Allow from env=locally_linked
> </FilesMatch>
should that be SetEnvIfNoCase Referer "^$" locally_linked=0 ? its late
and i cant think.
heres a way with just rewrite.
"if referer is not empty, or if referer is not your domain then serve
no content."
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?domain.org/.*$ [NC]
RewriteRule \.(jpg|gif|js|css)$ - [F]
but as previously said - what if referer IS empty - this can happen for
variety of reasons not least because people turn it off, also routing
problems, first visit to a page on your site. Rewriting issues. Caching
issues. Some users will not get your js if you ban it this way.
Mind you - you should be making your site so javascript isnt required
anyway, unobtrusive. still if you are all set to go ahead and ban then
how about a php script and htaccess working together
..htaccess
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} .*js$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !yourdomain\.org [NC]
#etc.. yahoo, google, friends of yours etc...
RewriteRule (.*) /serve_js.php?js=$1
<?php
define( _JS_DIR_, $_SERVER['DOCUMENT_ROOT'] . '/js/' );
header("Content-type: application/x-javascript");
#header("Content-type: text/javascript");
header("Expires: Mon, 14 August 2006 06:35:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
#no XSS thankyou
$js = strip_tags( basename($_GET['js']) );
if ( !isset($js) )
{
die("<alert( 'No javascript for this website.' )");
}
else
{
echo file_get_contents( _JS_DIR_ . $js )
}
?>
dont forget, not all hosts provide correct document_root and other env
variables, so dont be scared to play around.
good luck
| |
|
| "Michael Sgier" <sgier@nospam.ch> schreef in bericht
news:412c6$44e0a107$c299b72a$8101@news.hispeed.ch...
> Hi
> i want to block direct access to javascript files. Why does this work
> locally but not with my provider?
Does 'not work' comes with an error?
> SetEnvIfNoCase Referer "^http://sgr.com/" locally_linked=1
> SetEnvIfNoCase Referer "^$" locally_linked=1
> <FilesMatch "\.(gif|png|jpe?g|js)$">
> Order Allow,Deny
So 'allow' is default ...
> Allow from env=locally_linked
.... and explicitly set, but no 'deny' handled anywhere
> </FilesMatch>
Based on a sample at
http://httpd.apache.org/docs/2.0/mo...cess.html#allow
try
Order Deny,Allow
Deny from all
Allow from env=locally_linked
and check local config for inherited instances of order, deny and allow
directive
HansH
| |
| Michael Sgier 2006-08-15, 7:32 am |
| <Files .htaccess>
Order allow,deny
Deny from all
</Files>
<FilesMatch "\.(js)$">
Order Allow,Deny
Allow from localhost
</FilesMatch>
The above only works locally but not with my provider...
| |
|
| Michael Sgier wrote:
> <Files .htaccess>
>
> Order allow,deny
>
> Deny from all
>
> </Files>
>
> <FilesMatch "\.(js)$">
>
> Order Allow,Deny
>
> Allow from localhost
>
> </FilesMatch>
>
>
>
> The above only works locally but not with my provider...
That's true.
If you visit your own site on your own box, you ARE localhost. When you
visit it on your provider, you're not. If the server has a UI which allows
browsing, it would work on the server itself though.
Grtz,
--
Rik Wasmus
| |
| Michael Sgier 2006-08-15, 7:32 am |
| Hi Rik
of course i replace localhost with the url of my website: example.com
or shop.example.com but...
Rik schrieb:
> Michael Sgier wrote:
>
> That's true.
> If you visit your own site on your own box, you ARE localhost. When you
> visit it on your provider, you're not. If the server has a UI which allows
> browsing, it would work on the server itself though.
>
> Grtz,
| |
|
| Please don't toppost, fixed it for you.
Michael Sgier wrote:
> Rik schrieb:
> of course i replace localhost with the url of my website: example.com
> or shop.example.com but...
That's not the point.
It's not a referrer here, it's the actual host/machine that requests it that
will be checked. Only if YOUR DNS (of the computer you're sitting behind) is
example.com/*.example.com will you be able to retrieve the *.js files. Any
other will be forbidden.
Try setting it up your local server, and try to view the *.js with another
computer in your network: it won't be able to retrieve it. Hence, it's not a
server-issue, it's faulty
configuration.
Read up on how pages are retrieved (if you use Windows/Internet Explorer,
install Fiddler, a great tool to follow this). You'll see the bare HTML page
is retrieved. After that, the UA will read the HTML-code, and retrieve
further files (js, images,css etc.) as indicated in the source in a
_seperate_ request. The extra files are NOT retrieved by your HTML-page on
the server.
Grtz,
--
Rik Wasmus
| |
| Michael Sgier 2006-08-15, 1:28 pm |
| So it's not possible to hide the js script? I want to allow executing js
but not copying, downloading etc.
Any other ways to do that? You know a usable free js obfuscator? I only
found rubbish so far.
Michael
| |
|
| Michael Sgier wrote:
> So it's not possible to hide the js script? I want to allow executing
> js but not copying, downloading etc.
> Any other ways to do that? You know a usable free js obfuscator? I
> only found rubbish so far.
And that's the only thing you'll find. Javascript runs in the browser, so
the browser will have to download it to execute it. As soon as the browser
must be able to download and read it, all obfuscating/securing is inherently
useless.
Even the code coming from very expensive obfuscators is cracked in no time.
The browser must be able te read it, so will a user. The selling of
obfuscators is just preying on the ignorant.
You can make it somewhat more work for people, but that's all.
Grtz,
--
Rik Wasmus
| |
| shimmyshack 2006-08-16, 7:33 am |
| I have yet to see an excellent javascript programmer who believes in
obfuscation - its always the beginners - but there are tonnes of
excellent js gurus releasing fantastic opensoucrce/free/community
edition code all the time. activegrid, scriptaculous, rico, behaviour,
prototype.
I dont believe in obfuscation, its not what the web is for, and it wont
protect your scripts, it just makes you look bad, as if you need to
hide something.
Have you seen firebug in firefox, it will show anyone your code, even
someone who couldnt deobfuscate your code by hand. If its in memory it
will be there - roll on the next gen of memory parsing spam bots.
My advice, learn object oriented unobtrusive javascript and then write
some excellent code, opensource it and get praise and recognition from
your peers.
have you thought of simply using caching to hide your scripts from
script kiddies? send all the no caching headers in the world - since
you are not going to be able to hide form all but the most ignorant -
you can at least sometimes stop the files from being stored in IEs
temporary internet folder on windows - this is your target audience
after all.
|
|
|
|
|