A couple of .htaccess questions

[blakec]

I have been trying to do a couple of things using .htaccess for a while, but have not been able to figure them out.

First, I would like a file to be accessible by no one EXCEPT the server. For example, if I have a page using AJAX to display "main.html" on the same page, I don't want anyone to be able to visit http://example.com/main.html to just view it, but I still want the server to be able to access it and use AJAX to display it on the same page.

I think "server" is the term I'm looking for, at least. This is what I've tried:

Code:

<Files "main.html">
deny from all
allow from (my server's IP address here, which I found using PHP: "echo $_SERVER['SERVER_ADDR']")
</Files>

Second, I want to use .htaccess and mod_rewrite to direct visitors that try to go to a short URL to a longer URL. For example, if my visitors go to http://example.com/dir, I want them to be redirected to http://example.com/longer/dir WITHOUT changing what they see in the address bar.

I did this before in a previous site design, where example.com/someplace directed them to example.com/index.php?p1=someplace, or something like that, and the text in the address bar did not change; it stayed at example.com/someplace.

I know how to direct the user to another URL AND have the text in the address bar change, but I don't want the text in the address bar to change.

Any ideas on either of these issues?

Thanks!
Blake

[xav0989]

The server always has access to the files, as it views them through the filesystem, not internet. If you deny from all except the server's address, it won't change a thing.
Next, AJAX is a client-side language. This means that the page is fetched just as a regular page. denying from all will simply stop everybody from viewing the main.html page.

[descalzo]

First question:
If yous send a request via Ajax, it is still a request. If you deny me from my browser, it will deny the Ajax request.
You can try restricting access by checking the HTTP_REFERER header in a rewrite rule in .htacces. But that can be faked.
You can have the page request main_gate.php and then check that the HTTP_X_REQUESTED_WITH header is set an equal to XMLHttpRequest (ie it is being requested by an Ajax call), check the REFERER, and if everything checks out, include the page (which you store outside of your document root).

Second Question:
Use mod_rewrite in .htaccess

Edited to correct error:

Code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} someplace$ [NC]
RewriteRule ^someplace$ index.php?p1=someplace
</IfModule>

the URL in the address bar will be www.example.com/someplace

[blakec]

So, do you mean that if I use .htaccess like this:

Code:

<Files "main.html">
deny from all
allow from (server IP address)
</Files>

I can't use AJAX to access main.html? (That's what I'm trying to do, but it's not working.)

Is there ANY way that I can use AJAX to include main.html on a different page, but disallow anyone from actually visiting main.html?

EDIT: Descalzo, could you explain how each line works? I need to adapt it a little, but am not sure how, since I don't know what does what in your .htaccess code.

[descalzo]

So, do you mean that if I use .htaccess like this:

Code:

<Files "main.html">
deny from all
allow from (server IP address)
</Files>

I can't use AJAX to access main.html? (That's what I'm trying to do, but it's not working.)

Is there ANY way that I can use AJAX to include main.html on a different page, but disallow anyone from actually visiting main.html?

When you request a file via AJAX, where do you think the request comes from?
It comes from your browser.
Not from the server.
Your browser is requesting the server to send the page.
Same as if you clicked on a link to main.html
Same as if you enetered the URL into the address bar.
The only way the request will be allowed, giving the above configuration is if your browser is on the machine running the server.

Edit: ADD:

%{REQUEST_URI} is the part of the url after the first /, ie if
http://forums.x10hosting.com/editpos...epost&p=579843
%{REQUEST_URI} would be editpost.php?do=updatepost&p=579843

Code:

<IfModule mod_rewrite.c>   MAKE SURE APACHE HAS THE MOD LOADED, USUALLY IS
RewriteEngine On     TELL THE MOD TO START WORKING
RewriteCond %{REQUEST_URI} someplace$ [NC]  IF URI ENDS IN someplace , NC == case insensitive
RewriteRule ^someplace$ index.php?p1=someplace  REPLACE THE STRING someplace WITH index.php?p1=someplace  
</IfModule>

[blakec]

Okay, thank you. I think I understand all of the .htaccess stuff now, but it still changes the URL to the actual URL, while I want it to stay as what the visitor typed in. Any help?

EDIT: If it makes things easier to know this: I'm trying to make example.com/aaa redirect to example.com/bbb/ccc.

I also need example.com/aaa/ddd.php to redirect to example.com/bbb/ccc/ddd.php; ALL without changing what the visitor sees in the address bar.

[descalzo]

Okay, thank you. I think I understand all of the .htaccess stuff now, but it still changes the URL to the actual URL, while I want it to stay as what the visitor typed in.

....

ALL without changing what the visitor sees in the address bar.

I

give

up

[misson]

Okay, thank you. I think I understand all of the .htaccess stuff now, but it still changes the URL to the actual URL, while I want it to stay as what the visitor typed in. Any help?

EDIT: If it makes things easier to know this: I'm trying to make example.com/aaa redirect to example.com/bbb/ccc.

I also need example.com/aaa/ddd.php to redirect to example.com/bbb/ccc/ddd.php; ALL without changing what the visitor sees in the address bar.

Under Apache, you can have internal rewrites without external redirects. External redirects return one of the 3XX HTTP response codes (read the HTTP 1.1 specification for more on HTTP responses) to the client, which causes the browser to display the new URI and request it. With mod_rewrite, you get an external redirect if you explicitly use a redirect flag (e.g. [R],[R=301]), or implicitly when the substitution in the RewriteRule is an absolute URI, with scheme and hostname. For example, both of the following RewriteRules result in external redirects:

Code:

RewriteRule ^/?foo$ /bar [R=301]
RewriteRule ^/?foo$  http://www.example.com/bar

Otherwise, an internal rewrite shouldn't result in a 3XX response; it merely changes the pathname corresponding to a given URI. Compare:

Code:

RewriteRule ^/?foo$ /bar

Read Apache's documentation on mod_rewrite or google for more info.


As for limiting access to content, you could try to use the Referer [sic] header, but many people block it out of privacy concerns, which means they couldn't access the protected content. Also, site rippers usually send an appropriate Referer header, so this technique won't protect you from rippers (assuming that's your goal).

You could also pass some secret via a header or by POSTing it in the AJAX request, but a knowledgeable user could easily extract that information and get the page.

Why is this task important to you? If a visitor can view information, they should be able to view part of that information. From this principle (and in the absence of an overall goal), I'd say the desire to limit accessing content solely to AJAX requests is misguided.