Allow from specific referer only in .htaccess

software development

#1

I have a website with a wordpress installation and I’m using modrewrite to display clean urls. I want to protect a page (/thank-you-for-your-purchase/) with .htaccess so that if the page is linked to from my shopping cart system (1shoppingcart.com), the user can see the page. If anyone else tries to access the page, they will be denied access.

I tried the following:

RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/thank-you-for-your-purchase/?(.*)$ [NC] RewriteCond %{HTTP_REFERER} !^http://www\.mydomain\.com/ [NC] RewriteCond %{HTTP_REFERER} !^https://www\.mcssl\.com/ [NC] RewriteRule ^.*$ http://www.mydomain.com/ [R=301,L]

The above almost worked as expected; when 1shoppingcart.com (mcssl.com) sent the user to mydomain.com/thank-you-for-your-purchase/ the user would be denied access and sent to the home page. Is this because 1shoppingcart.com is doing a redirect?

Please help!


#2

I think it is more likely that WordPress is still intercepting that page, and redirecting it.

The order in which the re-write rules are placed in the .htacces file sis very important.

This is very similar to the problem with DH installed stats; the actual url involved is different but the problem, and the solution, is the same.

I think you will will find how to fix it by carefully reviewing the DH Wiki page on making stats accessible with .htaccess and substituting your desired url for the "stats’ url used in the article’s example. :wink:

Good Luck, and if you still can’t sort it, post back and I’ll try to help further.

–rlparker


#3

If it’s not a WP issue as mentioned, maybe try the changes I made in red, especially the “,OR” one.

RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/thank-you-for-your-purchase/?(.*)$ [NC] RewriteCond %{HTTP_REFERER} !^http://www\.mydomain\.com/[b][color=#CC0000](.*)[/color][/b] [NC[b][color=#CC0000],OR[/color][/b]] RewriteCond %{HTTP_REFERER} !^https://www\.mcssl\.com/[b][color=#CC0000](.*)[/color][/b] [NC] RewriteRule ^.*$ http://www.mydomain.com/ [R=301,L]

Also, just do be sure, you only require https from the second one, right? And you only want it from there if it’s https? Just making sure you didn’t add (or forget) an S on one of them.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#4

Yea, I actually use that in my .htaccess file, but I’m still lost. Here’s my .htaccess file so far:

RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/(stats|failed_auth\.html)/?(.*)$ [NC] RewriteRule ^.*$ - [L] RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/thank-you-for-your-purchase/?(.*)$ [NC] RewriteCond %{HTTP_REFERER} !^http://www\.mydomain\.com/ [NC] RewriteCond %{HTTP_REFERER} !^https://www\.mcssl\.com/ [NC] RewriteRule ^.*$ http://www.mydomain.com/ [R=301,L] # BEGIN WordPress RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress Redirect /xyz/ http://mydomain.com/blog/

#5

Yes, https is only required for the second one and i don’t want it from http.

I’ll see if your changes will help, thanks!


#6

Still no luck :frowning:


#7

I started a post over at sitepoint to get some more help. You can check it out here:


#8

I’d put the “,OR” back in there from my original post. That would indicate that either of the two you listed is okay.

Also, don’t forget that some people disable passing of the HTTP_REFERER variable in their browsers, so it is possible that you’ll block some people coming from those sites.

You might want to consider redirecting to a page that explains why they’re there, rather than just back to the index.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#9

Your’re right. Thanks for the help!


#10

You need to put HTTP:// before the site address… This is the only problem… Try it and make a praise for me…

STEVE