Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 29 Jul 2004 14:46:58 +0200
Priority: normal
Importance: normal
Message-ID: 
 <FAB6A3A2CC5BDB448DADFA1C8C0752965F753F@SOMEXEVS001.ex.ordersx.org>
Thread-Topic: [users@httpd] Unable to relative link outside root directory
Thread-Index: AcR1VuHL33a5wCIWRyCGLCVV2gWRFQAEKjxw
From: "Boyle Owen" <Owen.Boyle@swx.com>
To: <users@httpd.apache.org>
Subject: RE: [users@httpd] Unable to relative link outside root directory


> -----Original Message-----
> From: yc lim [mailto:meepokman@hotmail.com]
> Sent: Donnerstag, 29. Juli 2004 12:29
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Unable to relative link outside root
> directory
>=20
>=20
> >From: Eimantas Vaiciunas <eimantas.vaiciunas@sc.vu.lt>
> >Reply-To: eimantas.vaiciunas@sc.vu.lt
> >To: users@httpd.apache.org
> >Subject: Re: [users@httpd] Unable to relative link outside=20
> root directory
> >Date: Thu, 29 Jul 2004 12:17:42 +0200
> >
> >On Thursday 29 July 2004 12:01, yc lim wrote:
> > >   Case 1: if I have the image folder within the root directory
> > > /var/www/html/websiteroot/image/
> > >
> > >   No matter how many image protect measures / scripts I=20
> implement,=20
> >people
> > > will still be able to view my image by entering the URL=20
> of the image
> > > directly (i.e. www.example.com/image/1.jpeg)
> > >
> > >   Case 2: I decided that to prevent people from bing able=20
> to access the
> > > image directly via URL, I place the image file outside the root=20
> >document.
> > > This way, no one can access the folder at all except the server.
> > >
> > >   Case 3: Using alias as suggested, gives the similar=20
> effect as having=20
> >the
> > > image directory in the root folder. I can always access the image=20
> >directory
> > > (i.e. www.example.com/images/1.jpeg)
> > >
> > >   Nevertheless, I did learn something new. Hope someone=20
> can enlighten me=20
> >:)
> >I think this should do:
> >
> >SetEnvIf Referer "^http://your.domain.com/" local_referal
> >SetEnvIf Referer "^$" local_referal
> ><Directory /var/www/html/images>
> >	Order Deny,Allow
> >  	Deny from all
> >   	Allow from env=3Dlocal_referal
> ></Directory>
> >
> >This example was taken from apache documentation=20
(http://httpd.apache.org/
>docs/env.html#examples)
>
>This just prevents hot-linking. What I'm concerned is leeching.

Please define both terms and what you think is the difference...

>
>What I want to prevent is from people from accessing the image
directly,=20
>even thru my own website:
>
>i.e. when url =3D http://www.example.com/image/1.jpeg, apache will =
return
an=20
>error.=20

If you implement the method described by Eimantas this is what will
happen - did you try it?

>The only way the user can see the image is when thru the webpage=20
>whereby the image is embeded in.
>
>*I can still see & save the image by entering the url directly=20
>http://www.example.com/image/1.jpeg.

If you still see it then you must not have implemented the method
correctly. The server will refuse to deliver the content to clients
which do not present the correct Referer header in the request.

Conversely, if the client presents a valid Referer, your server *must*
deliver it. You can't simultaneously allow and deny access...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

>
yc

_________________________________________________________________
Take a break! Find destinations on MSN Travel.
http://www.msn.com.sg/travel/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Diese E-mail ist eine private und pers=F6nliche Kommunikation. Sie hat
keinen Bezug zur B=F6rsen- bzw. Gesch=E4ftst=E4tigkeit der SWX Gruppe. =
This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le pr=E9sent e-mail =
est
un message priv=E9 et personnel, sans rapport avec l'activit=E9 =
boursi=E8re du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.=20


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org