Click here

Keeping Your Images from Adorning Other Sites Page 2

By Ken Coar (Send Email)
Jun 14, 2000

One of these header fields is of particular importance to what we want to do. It's called the Referer field (yes, I know, it's misspelt--but that's how it's misspelt in the definition, too), and it indicates the URL of the client's last page if and only if the client is following a link. That is, if you're viewing page A, and click on a link to page B, the request for page B will include a Referer field that says "I'm following a link on page A." If no link is being followed, such as if the user just typed B's URL into the Location field of his browser, there will be no Referer field in the request header.

How does this help? Well, it gives us a way to tell whether an image is being requested because it was linked to by one of our pages -- or by someone else's.

Using SetEnvIf to 'Tag' Images

For a simple case, suppose our Web site's main page is <http://my.apache.org/>. In this case, we want to restrict any artwork requests that don't originate on our site (i.e., only allow them if the image was linked to by one of our pages). We can do this by using an environment variable (also called an envariable) as a flag, and setting it if the conditions are right. Something like the following ought to do it: 


  
    SetEnvIfNoCase Referer "^http://my.apache.org/" local_ref=1
  

  



  When Apache processes a request, it will examine the Referer
  field in the header, and set the environment variable local_ref
  to "1" if the value starts with our site address--i.e., is one of
  our pages.
  

  



  The string inside the quotation marks is a regular expression pattern
  that the value must match in order for the environment variable to be
  set.  Describing how to use regular expressions (REs) is far beyond the
  scope of this article; for now, just be aware that the SetEnvIf*
  directives use them.
  

  



  The "NoCase" portion of the directive name means, "do this
  whether the Referer is 'http://my.apache.org/', or
  'http://My.Apache.Org/', or 'http://MY.APACHE.ORG/' -- in other words,
  ignore the upper/lower caseness of the value.
  


  
Using Envariables in Access Control

  



  The Order, Allow, and Deny
  directives allow us to control access to documents based upon the
  setting (or unset-ness) of an envariable.  The first thing to do
  is to indicate the order in which Apache will process Allow
  and Deny directives; you do with the Order
  directive as follows:
  

  
    Order Allow,Deny
  

  



  This means that Apache will go through any list of Allow
  directives it has that apply to the current request, and then repeat
  the process with any Deny directives.  With this ordering,
  the default condition is 'denied;' that is, no-one will be able to access
  anything unless there's an applicable Allow directive.
  

  



  All right, so let's add the directive that will let local references
  work:
  

  
    Order Allow,Deny
    Allow from env=local_ref

Page 2 of 5
Previous Page   1 2 3 4 5 Next Page  


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.