0

I want to restrict access to a website to only allow referrers from a single domain. I can't get the .htaccess file to work correctly. Say I am referring from http://domainname.com - access will be allowed. Or http://subdomain.domainname.com - access will be allowed.

But any other referrer (or typing in URL) will block, and direct to Access Denied page.

Code as follows (note I need to allow access from ANY referrer page on domainname.com

RewriteEngine On
RewriteBase /

# allow these referers to passthrough
RewriteCond %{HTTP_REFERER} ^http://(protect|unprotected)\.domainname\.com
RewriteRule ^ - [L]

# everybody else receives a forbidden
RewriteRule ^ - [F]

ErrorDocument 403 /forbidden.html
Improve this question
4
  • We need to see your code... Can't help without it. Commented Aug 16, 2016 at 13:49
  • Please add your code to the question (edit button) and delete the comment - can't read code in comments. Commented Aug 16, 2016 at 14:14
  • And what is the problem - is it granting access to other referrers? You might want to deleting the first RewriteRule, but you must add a negator before the referrer URL: !^http:.... Commented Aug 16, 2016 at 14:21
  • No it seems to be blocking my allowed referrer as well. Commented Aug 16, 2016 at 14:29

1 Answer 1

Reset to default
1

The HTTP referer header only says were the request is coming from. E.g. when there is a link in some webpage from www.example.net

<a href="http://www.example.com/some/path>Click here</a>

then the request will be for http://www.example.com/some/path and the referer header will contain the URI from www.example.net.

If you block any request without a specific referer, then any direct request will be blocked too. Also note, that the referer header is sent by the client and therefore, it is not a reliable indicator.

Another caveat is, according to Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content- 5.5.2 Referer, the client may send a partial-URI, which doesn't contain a domain name at all.

To answer your question, if you want to allow requests coming from either domainname.com or any of its subdomain, you might check for

RewriteCond %{HTTP_REFERER} ^http://(?:.*\.)?domainname\.com
RewriteRule ^ - [L]

RewriteRule ^ - [F]

or the other way round, forbid when you negate it

RewriteCond %{HTTP_REFERER} !^http://(?:.*\.)?domainname\.com
RewriteRule ^ - [F]

To check for one of multiple conditions, cond1 or cond2 or cond3, you must use RewriteCond with the ornext|OR flag, e.g.

RewriteCond %{HTTP_REFERER} ^http://(?:.*\.)?nature\.com [OR]
RewriteCond %{HTTP_REFERER} ^http://(?:.*\.)?adclick\.g\.doubleclick\.net [OR]
RewriteCond %{HTTP_REFERER} ^http://(?:.*\.)?onepointedpixel\.com
RewriteRule ^ - [L]
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks. Works from a test URL, but when I click from client banner ad it fails. (Banner click goes via an ad click URL, could this be causing an issue?) Should allow access from all the URLs in the list, deny everything. But I do want to allow user to do page refreshes. RewriteEngine On RewriteBase / RewriteCond %{HTTP_REFERER} ^http://(?:.*\.)?nature\.com RewriteCond %{HTTP_REFERER} ^http://(?:.*\.)? adclick\.g\.doubleclick\.net RewriteCond %{HTTP_REFERER} ^http://(?:.*\.)?onepointedpixel\.com RewriteRule ^ - [L] RewriteRule ^ - [F]
I wanted to also ask: do I need to specify the referring document on the referring domain, or just the domain, so if my referrer is nature.com/nrg/index.html?test=ads do I need to specify the whole URL?
You can check for whatever you like, this is just a regular expression. When the regex matches, the condition is true, when the regex does not match, the condition is false. It depends on what you want to achieve. Also, when you have multiple RewriteConds, the conditions must all be true. If you want to match only one of them, you must use the [OR], see RewriteCond
Thanks Olaf. Sorry this is not my area of expertise... if I want to check IF url1 is true OR url2 is true OR url3 is true, what is the syntax?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.