I have hosted a static webpage on Gitlab pages. The URL of the webpage is myname.gitlab.io
I have another website hosted with hostgator
which has the URL "mysecondwebsite.com"
. "mysecondwebsite.com"
has thousands of static html pages hosted on the various paths like "mysecondwebsite.com/charts/folder1/1.html"
, "mysecondwebsite.com/charts/folder1/2.html"
, "mysecondwebsite.com/charts/folder1/3.html"
& so on.
I don't want "mysecondwebsite.com"
to be accessible directly nor the pages in it. Hence, I've enabled hotlink protection which works as expected. Now, I also want to allow access to "mysecondwebsite.com"
ONLY FROM myname.gitlab.io
. This website has list of hyperlinks which when clicked should open anapprpriate page in "mysecondwebsite.com"
. To achieve this, I've entered the following in .htaccess
file on hostgator which isn't helping. I see 403 forbidden
# IP to allow
order allow,deny
deny from all
allow from gitlab.io
Current hotlink protection settings -
# DO NOT REMOVE THIS LINE AND THE LINES BELOW HOTLINKID:r2xGl7fjrh
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mysecondwebsite.com/.*$ [NC]
RewriteRule .*\.(.*|jpg|jpeg|gif|png|bmp|tiff|avi|mpeg|mpg|wma|mov|zip|rar|exe|mp3|pdf|swf|psd|txt|html|htm|php)$ https://mysecondwebsite.com [R,NC]
# DO NOT REMOVE THIS LINE AND THE LINES ABOVE r2xGl7fjrh:HOTLINKID
I am in no way an expert with web hosting. Please could I get some help to get this working.
UDPATED htaccess
Options All -Indexes
RewriteEngine on
RewriteCond %{HTTP_REFERER} !somename\.gitlab\.io [NC]
RewriteRule .* - [F]
CodePudding user response:
allow from gitlab.io
doesn't work on the http referer header like you seem to be expecting. Rather it works based on the IP address of user making the request.
Instead you want to use something that checks the referer and denies access when it doesn't contain myname.gitlab.io
or your own website's host name. You can do that with mod_rewrite
by placing the following in your .htaccess
file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://((myname\.gitlab\.io)|((www\.)?mysecondwebsite\.com))/ [NC]
RewriteRule .* - [F]
This would allow referrers from your gitlab site, and would then allow those pages to fetch further resources such as images, js, and css. In this rule:
RewriteEngine on
- turns on rewrites, this needs to be specified once in your.htaccess
and is shared between all the rewrite rules and conditionsRewriteCond
- specifies a condition for the next rewrite rule!
says that the following regular expression should be negated (not matched)^
is the beginning of the regular expressionNC
is "no case" meaning that this rule is case insensitive and will work for both upper-case and lower-case inputRewriteRule
is the actual rule.*
says that it matches all URLs (in this case the condition specified above it what matters)-
means that there is no destination URLF
says that it should show the "forbidden" status as opposed to redirecting or internally changing the URL.
The problem with this approach is that it will forbid some requests that actually are referred from gitlab. Not all browsers actually send a referer header in all circumstances.