Hotlinking .htaccess question

[SirAuron]

I know I can use .htaccess to allow only certain domains to access images on my site, but is it possible to simply just exclude a few? I only have one or two problem sites with hotlinking, and I'd like to just exclude those two rather than setting up a large list of the places I permit to link to me.

Sorry if this question has been asked before. I did try searching, but the whole subject is so confusing to me.

-Kim

[Connie]

It is confusing. I believe if you use something like the following it will block
any request that is not coming from your web site.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/.*$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

Hope this helps    

[lookout]

Upon reading the original post, I was going to suggest using .htaccess line entries for denying from a full or partial IP address (or host name) like so:

deny from 209.237.227.195
(denies access from a specific full IP address)

deny from 209.237.227
(this would deny access from a range of IPs, all beginning with 209.237.227)

or

deny from apache.org
(denies access from a specific host name)

That said, I think you'll find the method Clssam describes a more effective solution to the problem of hotlinking in general. It's not foolproof, but it works fairly well. It is definitely a more proactive approach. I think you'd find that IP and host blocking don't always work as well as you might expect either.

Some comments on Clssam's code:

Don't forget to let empty referrals through, with

Code:

RewriteCond %{HTTP_REFERER} !^$

Without this line, you'll be hiding images from any visitor that doesn't pass on a referring URL with their site requests. A visitor's firewall and/or browser configuration can have an effect on this. They also have an effect on what hotlinkers and their visitors will see.

The example below allows empty referrals through and combines the with and without www rewrite conditions in clssam's example in a single line.

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|bmp|tif|zip)$ - [F,NC]

No need for the .* before the \.(filetypes) in the final RewriteRule that clssam posted. I've left it out in my example. Although one might expect the .* necessary to match any sequence of leading characters, it works better without it. I don't remember why anymore. But I did test it pretty extensively at one time, and that was the conclusion.

[Connie]

Lookout

Thanks for the mod to the code I posted.

Hopefully this will solve some problems I have had on occasion.
RewriteCond %{HTTP_REFERER} !^$

There is one thing that you did not cover. SSL. If you do not
have the secure site listed as a referer then your graphics won't
display when using a secure connection. I realize everyone does
not need this but I do.

[lookout]

Hmmm. That's an interesting point on SSL, although it probably applies only to ecommerce oriented sites. Maybe in that case the

RewriteCond %{HTTP_REFERER} !^$

line might not be appropriate, since it would let the empty referrals through. Not sure whether that would have a negative effect on things or not, although my guess is that it would not be harmful. Probably should consult a security expert on that to be sure.

The line is appropriate in cases when a referring URL is not absolutely required for viewing an image. As I mentioned earlier, perfectly legitimate requests for site content are not always accompanied by a referring URL.

In the case of SSL, I'd expect you might need to modify the 3rd line in my example to something like:

Code:

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com.*$ [NC]

[Vin DSL]

Bah! If you only have a few ppl hotlinking to your site, just send 'em packing...

Code:

RewriteCond %{HTTP_REFERER} ^http://www.pain-in-the-butt-hotlinkers.com/.*$ [NC]
ReWriteRule .* http://www.take-a-flying-leap.com/ [R,L]

[Vin DSL]

BTW, just for the sake of conversation, here's what I do with hotlinkers:

Root (note 'FilesMatch' expressions aren't anchored):

Code:

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module)$">
deny from all
</FilesMatch>

Child (ones that I care about):

Code:

# redirect to homepage
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*lenon.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*66.227.17.133/ [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*69.73.147.61/ [NC]
RewriteRule ^.*$ http://www.lenon.com/index.php [L,R]

EDIT: Word to the wise - Sorry for stating the obvious, but two IP's are required during the changeover period to protect your site. Maybe some of you have overlooked this...

[Connie]

Lookout,

Typically only a shopping cart check out pages are going to be involved.

What I had to do when we first got our own SSL rather than using
the Processors order form was to add
RewriteCond %{HTTP_REFERER} !^[url https://secure.domain.com/.*[/url]$ [NC]

The few graphics we have on our check out pages displayed after adding the above.
Prior to adding the above there was only an x where the graphic should be.

Your change to the code may work fine. I will experiment and let you know.

I'm slow to make any changes because I understand so little of the tech side
of all this. I did try your code on a new site today and it worked OK until
I started through the check out process.

Then I added the line for the secure server and everything was
fine.

Hopefully your code will solve some problems I've had with people who could
not view certain folders because they were hotlink protected.

As always I appreciate your input, as I grope with the Tech Stuff.

Cheers        

[Vin DSL]

This isn't the end-all discussion of .htaccess, but it doesn't need to be. This guy just needs a simple solution to a simple problem, and the one I gave above (not the examples from my site) will send known hotlinkers packing to wherever he wants to send them; circle-jerking popup porn directories are always a good choice...

My needs are considerably different. I have highly specialized .htaccess files all over the place. I want hotlinking capabilities to certain things, but not my picture albums or downloads. I want Google, Yahoo and MSN to be able to index my site, but not file harvesters and so forth. So, it's quite a balancing act.

[lookout]

Agreed, there are many ways to perform this task.

The generic method clssam and I discussed is a good one though, in the sense that it reduces the chances of successful hotlinking BEFORE it happens. It isn't foolproof, but one can always take more drastic measures to thwart the more egregious offenders. Some lines similar to what Vin initially suggested should take care of those (for the most part, though again, it's not foolproof). My only comment on it would be this minor tweak at the end of his first line of code:

Code:

RewriteCond %{HTTP_REFERER} ^http://www.pain-in-the-butt-hotlinkers.com.*$ [NC]

In the example I provided in my original post, referrers coming in via the IP address would be blocked. Only empty referrers and those from yourdomain.com are allowed to display the file types being protected. So protecting the IP(s) associated with the domain name is unnecessary. This may or may not be what you want. One could get the IP address accepted as a referrer if you included RewriteCond lines for each domain name and IP condition. Something like this (this may need a little tailoring to meet your personal requirements):

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://yourIPaddress.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|bmp|tif|zip)$ - [F,NC]

Vin, I know I've mentioned this about your site before and you may not care, but your photo gallery is still blocked to some of us behind firewalls that mask the referring url. That's because you're not allowing empty referrals thru. Turning the firewall off temporarily, the images will display fine, but one will just get image placeholders with the firewall operating.

[gerilya]

Originally posted by lookout
No need for the .* before the \.(filetypes) in the final RewriteRule that clssam posted. I've left it out in my example. Although one might expect the .* necessary to match any sequence of leading characters, it works better without it. I don't remember why anymore.

This is because regular expressions are greedy by default.
Use .*?\.gif to match gif images (for example), although this is exactly as \.gif unless you want to capture a filename.

[JonathanB]

Originally posted by lookout
Don't forget to let empty referrals through, with
RewriteCond %{HTTP_REFERER} !^$

I've just been getting into using .htaccess (I recently discovered a few sites hotlinking my image files). This discussion has been very informative.

I had been using some rules similar to what Connie (clssam) had. But I just added the above to my sites as well. Thanks for pointing this out Lookout.

[Vin DSL]

Originally posted by JonathanB

I've just been getting into using .htaccess (I recently discovered a few sites hotlinking my image files). This discussion has been very informative...

Heh! .htaccess rocks! The one in my root directory is 17k. I tried to post it here once, but it required breaking it up into 3-4 posts, and I finally gave up. Nobody could relate to it anyway, probably...

I'll post links to some very informative .htaccess sites, if anyone is interested.

[Vin DSL]

Originally posted by lookout

...Vin, I know I've mentioned this about your site before and you may not care, but your photo gallery is still blocked to some of us behind firewalls that mask the referring url....

Yeah, thanks, lookout, but you're right... I don't care. I do that on purpose...

[lookout]

Vin, you knowingly block those not passing on a referring URL from viewing images? Whatever for? To lock down the site more, better tracking of visitors, an attempt to cut back on your visitor count, general orneriness, or what? I'd expect this would affect a large number of site visitors sitting behind corporate and personal firewalls. Not to mention users of certain browsers like Opera. I know it would on the sites I manage. Just curious as to your reasons, if any.

On .htaccess file size, I question the thinking that bigger is necessarily better, although that is probably not what you had meant to imply here. But certainly from the visitor's perspective of general site performance it wouldn't be.

Post the links, I'm always collecting stuff like that. So much bad info being mangled with each retelling on the net. Helps to have some other sources for evaluation purposes sometimes.