HTAccess Help/Advice Please

[Matt]

Hi

Im trying to block anyone who has not logged into my website, or from a set Ip range from accessing any wordpress uploads

(in school users are not logged in (specific IP range)) but when they are not in that specific IP Range (access from home) they are logged in users.

Previously I had this in my htaccess

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?thedash.org.uk/.*$ [NC]
RewriteRule . - [F]

Which said unless you come from the website, then clear off - but this has caused issues in IE when people right click on a file to save as?

Is there a way to edit this to say ignore these rules if on the specific IP address (10.50.*) ?

Thanks

[suedenem]

You need to stop thinking redirects and start thinking allowing/denying access.

Try this in your upload directory's htaccess:

Code:

<Limit GET POST PUT>
 order deny,allow
 deny from all
 allow from 10.50.*.*
</Limit>

Edit 1:
I'd then set up a 403 (access denied) redirect to a page with a nice fluffy message saying why they are denied access.

Edit 2:
Note that this works depending on the IP address.  If the user is not logged in but within the IP range, he or she will have access.

If you need access limiting to those who are logged in, you'll need to move the files out of the Web root and serve it through a file funneling script which check for user permissions.

[Matt]

You need to stop thinking redirects and start thinking allowing/denying access.

Try this in your upload directory's htaccess:

Code:

<Limit GET POST PUT>
 order deny,allow
 deny from all
 allow from 10.50.*.*
</Limit>

Sorry if Im wrong, but wont that block everyone when they are logged in from outside?

[suedenem]

You need to stop thinking redirects and start thinking allowing/denying access.

Try this in your upload directory's htaccess:

Code:

<Limit GET POST PUT>
 order deny,allow
 deny from all
 allow from 10.50.*.*
</Limit>

Sorry if Im wrong, but wont that block everyone when they are logged in from outside?

Read my edits :-)  Your post (or my initial interpretation thereof) was slightly ambiguous, and my original didn't cover all bases.

Anyway... if you want to deny access to files on an session-based authentication basis, don't store them in the web root.  Store outside on the disk or in a DB, and spit the file out only to those logged in.

There might be a WP plugin, but I doubt it.

[Matt]

You need to stop thinking redirects and start thinking allowing/denying access.

Try this in your upload directory's htaccess:

Code:

<Limit GET POST PUT>
 order deny,allow
 deny from all
 allow from 10.50.*.*
</Limit>

Sorry if Im wrong, but wont that block everyone when they are logged in from outside?

Read my edits :-)  Your post (or my initial interpretation thereof) was slightly ambiguous, and my original didn't cover all bases.

Anyway... if you want to deny access to files on an session-based authentication basis, don't store them in the web root.  Store outside on the disk or in a DB, and spit the file out only to those logged in.

There might be a WP plugin, but I doubt it.

Thanks

[sarahA]

Code:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^10\.50\. [OR]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?thedash.org.uk/.*$ [NC]
RewriteRule . - [F]

Would that work? (a wild guess, I'm not that great with htaccess besides what I know...!)

[suedenem]

Code:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^10\.50\. [OR]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?thedash.org.uk/.*$ [NC]
RewriteRule . - [F]

Would that work? (a wild guess, I'm not that great with htaccess besides what I know...!)

The challenge (as I interpret it) is that files should be accessible when:

• the user is outside the network's IP range and logged into WP, or
• the user is inside the network's IP range

and inaccessible when:

• the user is outside the network's IP range and not logged into WP

Either redirects or allow/deny will deal with the access-by-IP aspect (I'd still use the latter, incidentally).  The problem is checking whether someone is logged into WP - files are served independently of WP's authentication system, and there's no easy way to bridge the two.

One way to do it would be to:
 - set the uploader to save to a folder outside the web root
 - rewrite all requests to the (web root) uploads folder to a script which
     - checks for a valid session cookie
     - streams the file through (fopen, etc? It's ages since I've done any coding of note)

I'm sure you could point Matt in the right direction ;-)

[sarahA]

The challenge (as I interpret it) is that files should be accessible when:

• the user is outside the network's IP range and logged into WP, or
• the user is inside the network's IP range

and inaccessible when:

• the user is outside the network's IP range and not logged into WP

Ah, yes sorry, not thinking. Removed the 'OR'

Code:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^10\.50\.
RewriteCond %{HTTP_REFERER} !^http://(www\.)?thedash.org.uk/.*$ [NC]
RewriteRule . - [F]

The above, as I interpret it, means If the user is not on the IP and the referrer isn't the WP site, return a 403. So in theory if the user is on the IP then it should be fine, and if the referrer is the WP site, it should be fine.

Admittedly, if the user isn't on the IP and still tries to rightclick then they'll get blocked, but this should at least remove that issue for internal visitors, which I would imagine is a large percentage.

PHP would be simpler but I believe that's a lot of moving files and updating content.

[suedenem]

Admittedly, if the user isn't on the IP and still tries to rightclick then they'll get blocked, but this should at least remove that issue for internal visitors, which I would imagine is a large percentage.

Indeed - I can't think of a *perfect* solution simply using apache.

The other (big) issue if the content is sensitive is that it's easy for anyone with a modicum of Internet knowledge to fake the browser's referrer string.  There are even Firefox plugins which do it for you - it's not a method of authentication that I'd ever use for anything important.

So, it all depends on how secure it has to be. 

[Matt]

Admittedly, if the user isn't on the IP and still tries to rightclick then they'll get blocked, but this should at least remove that issue for internal visitors, which I would imagine is a large percentage.

Indeed - I can't think of a *perfect* solution simply using apache.

The other (big) issue if the content is sensitive is that it's easy for anyone with a modicum of Internet knowledge to fake the browser's referrer string.  There are even Firefox plugins which do it for you - it's not a method of authentication that I'd ever use for anything important.

So, it all depends on how secure it has to be. 

Enough to make it as difficult as possible, but highly sensitive info is saved in a non accessible location.

Thanks both will trial this

[Matt]

Admittedly, if the user isn't on the IP and still tries to rightclick then they'll get blocked, but this should at least remove that issue for internal visitors, which I would imagine is a large percentage.

Indeed - I can't think of a *perfect* solution simply using apache.

The other (big) issue if the content is sensitive is that it's easy for anyone with a modicum of Internet knowledge to fake the browser's referrer string.  There are even Firefox plugins which do it for you - it's not a method of authentication that I'd ever use for anything important.

So, it all depends on how secure it has to be. 

Plus, as the site s password protected, you would need to guess the exact path and file name.

[suedenem]

Plus, as the site s password protected, you would need to guess the exact path and file name.

Which is fine until one of the kids diggs (do kids 'digg'?) or links to one of the files on Facebook, or one of the staff members browses with a dodgy toolbar (or even Chrome/Firefox) which reports all accessed URLs back to a scraper service, or...

When it comes to accessing online files, security through obscurity is a decidedly dodgy method.  If I was going to all this effort, I'd make sure it was protected properly to the extent that reasonably security-hardened systems systems allow.

But maybe I'd be just that bit more paranoid about becoming embroiled in the latest data leak scandal, which would be particularly potent in a school environment.

I suppose that one other way to achieve this would be to allow access either via IP range or Basic Authentication when outside the IP range.  If you've designated the WP usernames and passwords and don't allow users to change them it should be trivial to create the password file - otherwise, you'd have to either reset the passwords so there is commonality between the two sets, and then edit WP's register/change password functions to also edit the password file.

[Matt]

Plus, as the site s password protected, you would need to guess the exact path and file name.

Which is fine until one of the kids diggs (do kids 'digg'?) or links to one of the files on Facebook, or one of the staff members browses with a dodgy toolbar (or even Chrome/Firefox) which reports all accessed URLs back to a scraper service, or...

When it comes to accessing online files, security through obscurity is a decidedly dodgy method.  If I was going to all this effort, I'd make sure it was protected properly to the extent that reasonably security-hardened systems systems allow.

But maybe I'd be just that bit more paranoid about becoming embroiled in the latest data leak scandal, which would be particularly potent in a school environment.

I suppose that one other way to achieve this would be to allow access either via IP range or Basic Authentication when outside the IP range.  If you've designated the WP usernames and passwords and don't allow users to change them it should be trivial to create the password file - otherwise, you'd have to either reset the passwords so there is commonality between the two sets, and then edit WP's register/change password functions to also edit the password file.

We are protecting learning content, rather then student/staff information here. I agree that security is important, but we have to be realistic with what we can achieve and what we can afford to do in relation to risk and what would happen if a year 10 history powerpoint got leaked.