From FBSD_tips

DRAFT - INCOMPLETE

Contents 1 Rationale 2 Configuration 3 Examples 4 Discussion

[edit] Rationale

Sometimes you may want to take precautions that only your pages are loading images from your server. With the stateless transactional nature of the web, this is not fool proof but there are some prudent measures you can take. Web browsers convey some information by default with requests that we can use with apache to find out what page is generating the request.

[edit] Configuration

The basis of this is the SetEnvIf directive. It will look for information in the request and set an environment variable if it finds it. You can then use that environment variable as the check ni the Limit container.

Here is an example :

SetEnvIf Referer "^http://goodhost.domain.com/" local_referal
<Directory /path/to/directory/you/want/checked/>
        Options All Indexes
        FancyIndexing on
        Order Allow,Deny

        <Limit GET>
                Allow from env=local_referal
        </Limit>
</Directory>

[edit] Examples

Here is a more involved example.

SetEnvIf Referer "^http://goodhost.domain.com/" local_referal
<Directory /path/to/directory/to/protect/>
        Options All Indexes
        FancyIndexing on
        AuthType Basic
        AuthName Guest_Access
        AuthUserFile /path/to/htpasswd/file/passwords.pw

        Order Allow,Deny
        Satisfy Any

        <Limit GET>
                Allow from env=local_referal
        </Limit>

        <Limit GET>
                require valid-user
        </Limit>

        Dav             on
        <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
                require user publisher
        </Limit>
</Directory>

[edit] Discussion

This should not be considered security, at best it is a minor obfuscation of how to pull things off your server.