Configuring .htaccess on Windows Platform

What I am trying to do is essentially what the referrer function performs.
However you are correct, I have noticed that many browsers and firewalls
strip this info making it pretty useless..

We have a corporate intranet which is available on the net, we have a sub
domain stored elsewhere, we would only like people to be able to access that
sub domain by clicking a link from the main intranet.. It does not have to
be bulletproof by any means.. We just want to discourage direct linking.. If
somebody were to fake from where they were originating and were to gain
access to the site then so be it..If somebody werre to simply try and access
the site directly they would receive an error message indicating they can
only access the site by clicking the link from the intranet.

I have seen this functionality before but don't know the best way to
implement.. Any help would be very much appreciated.
Many Thanks,
TED
"Purl Gurl" <purlgurl.DeleteThis@purlgurl.net> wrote in message
news:ubidnZDp4JexjhDenZ2dnUVZ_tidnZ2d@giganews.com...
> Ted Appleberry wrote:
>
>> I would like to build a .htaccess to only allow access when the referrer
>> is a certain domain. We want to limit people
>
>> (1)What would this file look like,
>
>> (2) Where do I put this file??
>
> You do not want to do this. Use of the referrer variable only works for
> roughly fifty-percent of transactions. Those using MSIE send a referrer
> quite often, those using Mozilla / Netscape rarely send that variable.
>
> End result is you will block ninety-percent of more of your vistors; your
> site will be a dead site. Those you do not want to enter, can do so
> very easily. Faking a referrer is a snap.
>
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !.*foo.com.*$
> RewriteRule .* [F]
>
> Condition: http referer NOT match anything foo.com anything end
> Effect Rule: Forbid - 403
>
> Substitute in your domain name.
>
> You can add this to your httpd.conf file, server wide, per directory,
> or on a per directory basis via an .htaccess file in a directory.
>
> Research and read about configuring your httpd.conf file and
> htaccess files. Documentation is available everywhere.
>
> Google terms:
>
> apache htaccess
> apache httpd.conf
> apache referer (misspelled)
> apache mod rewrite
> apache mod rewrite htaccess
>
> I urge you to NOT use this method. You will do better to provide
> a more detailed description of your end goal. Many here can
> provide excellent advice on Apache security.
>
> If you use this method, within a few months, it would not be
> surprising to learn you have zero visitors. If you are intent
> on using this method, you will do better to simply take
> your server offline.
>
> Purl Gurl
 >> Stay informed about: Configuring .htaccess on Windows Platform 

Ted Appleberry wrote:

> We have a corporate intranet which is available on the net, we have a sub
> domain stored elsewhere, we would only like people to be able to access that
> sub domain by clicking a link from the main intranet.. It does not have to
> be bulletproof by any means.. We just want to discourage direct linking.. If
> somebody were to fake from where they were originating and were to gain
> access to the site then so be it..If somebody werre to simply try and access
> the site directly they would receive an error message indicating they can
> only access the site by clicking the link from the intranet.

Ok, your expanded explanation better explains your circumstances.

However, readers need to know if your "intranet" means you are using
a Local Area Network (LAN) system. Use of a LAN system means
each machine on your network will have an easy-to-recognize machine
IP Address, such as 192.168.0.5 or 10.10 ... something. There are
many variations, but each machine should have an address "similar"
to all other machines, for a single LAN system.

Should this be your circumstance, then you can allow or deny based
on IP Address.

An example,

Your LAN network has three machines: 192.168.0.2 192.168.0.3 192.168.0.4
Your subdomain may or may not have a similiar address, which does not matter,
unless you have machines with variations of your subdomain IP Address.

For that case example you can use an entry in your httpd.conf file or use an
entry in an .htaccess file to control access.

Order Deny,Allow
Deny from all
Allow from 192.168

That syntax will deny access to all but allow access for any IP Address
which begins with 192.168 which will allow access by those three
machines in my example above.

That will also cover for a DHCP server which assigns IP Addresses
upon machine boot; a machine address will change but will always
be within a "block" of similar IP Addresses.

Research and read about Apache access control via allow and deny.

Google for: apache htaccess allow deny

You will discover hundreds of sources for study and examples.

Might help to reseach and read about LAN systems so you
can better understand how IP Addresses work within a LAN.

"...only access the site by clicking the link from the intranet."

Do not do that! The only way a referrer variable will work correctly
is if all your users are using the same browser, such as MSIE,
and all browsers are set to provide a referrer variable. This will
not stop a user from changing that behavior!

Restricting access by IP Address is virtually foolproof.

Restricting access by referrer variable will often make a fool of you.

There is a caveat. Machines on your LAN cannot have file sharing
enabled, else access could be gained through UNC (mapped drive)
type access or similar. This applies mostly to Windows machines.

Controlling access can be very challenging on a LAN system.

Give restricting IP Addresses a try. Might be just what you need.

Post more information if this does not help. Many readers will
afford you a variety of methods for your circumstances.

Purl Gurl
 >> Stay informed about: Configuring .htaccess on Windows Platform 

Purl Gurl wrote:

> Order Deny,Allow
> Deny from all
> Allow from 192.168

> That syntax will deny access to all but allow access for any IP Address
> which begins with 192.168 which will allow access by those three
> machines in my example above.

I need to clarify to avoid confusion.

You will want to use that method ONLY in your subdomain, not your main server.

Concept is to deny access to your subdomain, except for local LAN users,
not to deny access to your "upstream" parent server.

I will also add if your subdomain is a "virtual domain" within your parent server,
there are other methods to restrict access. Use of mod_rewrite might be a
better choice than deny access.

Use of mod_rewrite will allow you to redirect "outsiders" to your main server,
and allow "locals" to access your virtual subdomain. Redirection is more
gentle and more polite than is denial of access.

Purl Gurl
 >> Stay informed about: Configuring .htaccess on Windows Platform