| Author |
|
MacDaddy
Newbie
Joined: 05 August 2008
Online Status: Offline
Posts: 4
|
| Posted: 05 August 2008 at 7:56am | IP Logged
|
|
|
Hello,
i found some sample code on your site which is below,
is their a PHP version of this code? The server is microsoft but the entire
website is php
......
Dynamic authentication
For example we have some members area on the site and we need
password-protect files in this area but we don't like to use built-in
server security. In this case it is possible to create ASP script (call
it proxy.asp) that will proxy all requests to the members area and check
for required permissions. Here is a simple template for this page where
you can put your own authorization code:
<%@ Language=JScript EnableSessionState=False%>
<%
function Authorize()
{
//Check if the user is authorized to view a resource here
//Return true if user has a required permission, otherwise return
false
return true;
}
if(!Authorize())
{
//Redirect to the login page
Response.Redirect("http://mysite.com/LoginPage.asp?
ref="+Request.QuerySt
ring.Item);
Response.End()
}
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5");
WinHttpReq.Open(Request.ServerVariables("REQUEST_METHOD").Item,
Request.QueryString.Item, true);
var headers=String(Request.ServerVariables("ALL_RAW")).split("\n");
for(i=0; i<headers.length && headers; i++)
{
header = headers.match(/([\w-\.]+):\s*([ \S]*)/);
if(header)
WinHttpReq.SetRequestHeader(header[1],header[2]);
}
if(lngCount = Request.TotalBytes)
{
var data=Request.BinaryRead(lngCount);
WinHttpReq.Send(data);
} else {
WinHttpReq.Send();
}
if(!WinHttpReq.WaitForResponse(15))
{
WinHttpReq.Abort();
Response.Status="408 Request Timeout";
} else {
Response.Status = "" + WinHttpReq.Status + " " +
WinHttpReq.StatusText;
headers=String(WinHttpReq.GetAllResponseHeaders()).split("\n");
for(i=0; i<headers.length && headers; i++)
{
header = headers.match(/([\w-\.]+):\s*([ \S]*)/);
if(header)
Response.AddHeader(header[1],header[2]);
}
Response.Write(WinHttpReq.ResponseText);
}
%>
Now we need to configure ISAPI_Rewrite to proxy requests through this
page:
[ISAPI_Rewrite]
# Proxy all requests through proxy.asp
RewriteRule /membe
|
| Back to Top |
|
| |
MacDaddy
Newbie
Joined: 05 August 2008
Online Status: Offline
Posts: 4
|
| Posted: 06 August 2008 at 7:09am | IP Logged
|
|
|
bump....
|
| Back to Top |
|
| |
Anton
Moderator Group
Joined: 30 January 2007
Location: Ukraine
Online Status: Offline
Posts: 9122
|
| Posted: 06 August 2008 at 8:03am | IP Logged
|
|
|
Unfortunately, we don't have php version of this code.
And this code is given only as an example and is not supposed to be used on the production server as is, as it lacks lots of checks etc.
__________________
Regards,
Anton
|
| Back to Top |
|
| |
MacDaddy
Newbie
Joined: 05 August 2008
Online Status: Offline
Posts: 4
|
| Posted: 13 August 2008 at 12:12pm | IP Logged
|
|
|
Hello,
we just need a simple version of this, i have created a php page which
validates and it redirects properly, the problem is that the rewrite creates
an infinite loop between my validation page and the file itself, what could
i add to this to make the rewrite verify that everything is good,
we have added id=TheAddressUserWants to the rewrite script and it
catchs it fine and redirects
RewriteRule /members(.+) /proxy.php\?
id=http\://mysite.com/members$1
// proxy.php page below
$ref=@$HTTP_REFERER;
$id = $_GET["id"];
session_start();
if((!$user1) || (!$ref)) {
header("Location: ../login.php");
} else {
header("Location:" . $id . "");
}
|
| Back to Top |
|
| |
MacDaddy
Newbie
Joined: 05 August 2008
Online Status: Offline
Posts: 4
|
| Posted: 13 August 2008 at 12:19pm | IP Logged
|
|
|
or, how could we write a condition that ignores all requests from proxy.php
and allows people to go straight to the file that was requested
|
| Back to Top |
|
| |
Anton
Moderator Group
Joined: 30 January 2007
Location: Ukraine
Online Status: Offline
Posts: 9122
|
| Posted: 14 August 2008 at 3:56am | IP Logged
|
|
|
Please try to use this rule:
RewriteCond %{REQUEST_URI} !^.*proxy\.php.*$
RewriteRule ^/members(.+)$ /proxy.php?id=http://mysite.com/members$1 [NC,L]
__________________
Regards,
Anton
|
| Back to Top |
|
| |
Dre240
Newbie
Joined: 14 August 2008
Location: Canada
Online Status: Offline
Posts: 7
|
| Posted: 14 August 2008 at 11:55pm | IP Logged
|
|
|
Hello, I am looking into this issue along side with MacDaddy.
I think MacDaddy may have not fully explained what exactly we are trying to accomplish here.
We have a PHP site running on a Microsoft server, which only uses a PHP login page for authentication into member areas.
Recently, we have found a flaw with our site, which would allow someone to access files in the member areas if they were to know the exact path to a file, even if they are not authenticated by the PHP script for access to that area.
We were hoping that the ISAPI Rewrite tool would allow us to proxy all requests on the site through a PHP file that could check to see if the request is being made from a link on our site. If a request was being made from a link on our site then the user would be directed to requested link, and if it was not then they would be directed back to the login page.
I have tried to implement the rule that you have posted, Anton, however it does not seem to work properly. With your rule all requests on the site are allowed though, whether they come from a link on our site or a direct link such as http://mysite/members/file.pdf, instead of redirecting these direct links back to the login.php page.
Perhaps we are looking at this problem the wrong way, would it be easier to not use a proxy file and write a rule in ISAPI Rewrite that would deny access to any "PDF" file unless they were refered to it by http://mysite.com.
Please Advise
Thanks
|
| Back to Top |
|
| |
Anton
Moderator Group
Joined: 30 January 2007
Location: Ukraine
Online Status: Offline
Posts: 9122
|
| Posted: 15 August 2008 at 5:06am | IP Logged
|
|
|
Please try to use this rule to block access to pdf if they are not referred from your site:
RewriteBase /
RewriteCond %{HTTP_HOST} !^(?:www\.)?mysite.com$ [NC]
RewriteRule ^.*\.pdf$ 404.asp [NC,L]
__________________
Regards,
Anton
|
| Back to Top |
|
| |
Dre240
Newbie
Joined: 14 August 2008
Location: Canada
Online Status: Offline
Posts: 7
|
| Posted: 18 August 2008 at 2:58am | IP Logged
|
|
|
Hi, with this rule it ends up blocking access to all pdf's whether i'm typing in the url which points directly to a pdf file, or clicking a link on my site for a pdf.
I tried the rule as you provided it, just changing the name of my site, and it didn't work. So i thought maybe its not working since my site does not use a www, it follows the format of http://site.mysite.com, so I removed it from the rule, although maybe i did something wrong, this is what i tried:
RewriteBase /
RewriteCond %{HTTP_HOST} !^site.mysite.com$ [NC]
RewriteRule ^.*\.pdf$ 404.asp [NC,L]
Anyways, with the rule the way u provided it, and the one I modified both always block all pdf's. I'm thinking that the condition somehow is not getting matched, so it always blocks pdf's.
Your help would be appreciated.
Thanks
|
| Back to Top |
|
| |
Anton
Moderator Group
Joined: 30 January 2007
Location: Ukraine
Online Status: Offline
Posts: 9122
|
| Posted: 18 August 2008 at 5:45am | IP Logged
|
|
|
Please provide rewrite log records for the specific non-working request.
__________________
Regards,
Anton
|
| Back to Top |
|
| |
Dre240
Newbie
Joined: 14 August 2008
Location: Canada
Online Status: Offline
Posts: 7
|
| Posted: 18 August 2008 at 6:48pm | IP Logged
|
|
|
Sorry, I don't have logging enabled.
Actually i've found one of your other applications more suitable for my application, Hotlinkblocker
Thanks for all your help
|
| Back to Top |
|
| |
Helicon Tech : ISAPI_Rewrite 3.0 support forum
Topic: ISAPI rewrite using PHP
Active Topics
Memberlist
Help
Register
Login