A weary afternoon of trying to get my htaccess to block hotlinking

[richardevanslee]

Much to my surprise I find the lines that blocked image hotlinking vanished from my .htaccess file. Possibly from using Cpanel to modify it instead of my text editor. I did catch Cpanel zapping the lines I use to keep out bad user agents.

I've spent the last couple of hours trying the various examples of using modrewrite to block hotlinking. Every example that worked also blocked images from showing up on my own site. Tried the SetEnv method also without luck.

I can't remember where I got what I'd been using. All I remember is that it referenced each directory that I wanted protected. That ring a bell with anyone.

Given all the people that have successfully blocked hotlinking I'm a little embarrassed by my own problems.

Thanks.

[dkadave]

blocking all hotlinking is not really posible. well from what I've tried. I spent a day or so trying all kinds of stuff. And nothing seemed to work. So I said, ah, forget.

but I'm sure there is a way. since I know lots of these free hosts, you know the one's. The block hotlinking. I just wonder how?

[richardevanslee]

I was blocking images successfully. Sadly, since I was secure I started adding them more liberally to my pages. Even without the images I'm constantly at war with bandwidth thieves who swipe my written content. A problem keeping the images from being hotlinked could cause serious bandwidth problems.

Since I had it working before and scoured Google for examples I'm baffled by my own failure.

[Galen]

Well, I don't usually have hotlinking turned on, but when I need it, the default settings from CP's "Enable Hotlinking" controls work just fine.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://subdomain.domain.com$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

Hope that helps, I know it works for me.

[Ron]

Put a copy of what Galen suggests into each directory that contains images (or maybe just your public_html folder might work) and ensure that .htaccess has permissions of 644

"chmod 644 .htaccess"

Don't know if this'll help, but here it is, FWIW

Be aware that his version will block empty referrers, so a small percentage of your own visitors won't be able to see your images.

[richardevanslee]

As I said I was on Google and tried that (and a couple of variations of that). Blocked me from seeing the images. What I was doing before blocked hotlinkers and let me see the images as well. If only I could remember what it was (if only I'd been wise enough to have had a backup).

Thanks.

[Ron]

Well, JAG does backups, and for a fee maybe they'd be willing to serve up the file to you.

The key point from my previous post was to ensure the permissions of 644

Good Luck

[G.Bloke]

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://.*.yoururl.com.*$ [NC]
RewriteRule .*\.*$ http://yoururl.com/stolen.gif [R]

And don't forget that your 'stolen' graphic must be outside the protected folder!

[richardevanslee]

I've tried several variations of mod_rewrite and setenv. When I successfully block hotlinking then I can't see the images. My .htaccess is pretty big and it may be that some of what I have going on is interfering with my attempts.

What I was using before and worked exactly the way I wanted it to required that I specify twice the directories that I wanted protected:

http://domain.org/images/
http://www.domain.org/images/

Don't remember where I got it from and after long stretches with Google haven't seen anything similar.

Many thanks to those of you who made suggestions.

[G.Bloke]

Richard are you sure you've cleared the cache between 'views' this can often give the false impression that either the block isn't working or that it is wrongly blocking legit traffic

[richardevanslee]

Fairly sure. I've tried to vary the hotlinked images I check and I'm two different broswers to try to keep from fooling myself. (Didn't get to sleep last night for unrelated reasons so I wouldn't be surprised if I didn't goof something up from sheer weariness.)

Thanks.

[lookout]

Richard, there's a parallel thread over here that you might find helpful. What GBloke posted is one good way of handling this though.

[richardevanslee]

Tried it again and images were still showing up on Live Journal and a something called ****france.com. I did empty Opera's cache just to make sure.

And I tried it two different ways: adding it to my root directory .htaccess. I also tried repositioning the lines in my .htaccess. (I have a virtual directory and a list of bad referrers and IPs that I've banned.)

When that didn't work using just those lines for a .htaccess file in an images subdirectory.

Thanks for the pointer to the other thread.

[lookout]

You could lock things down more if you take out the empty referer line (2nd line of GBloke's example), but I don't recommend it, for reasons stated in the other thread.

If you do leave it in, you will be leaving yourself open to some, but not all, hotlinking attempts. When testing, make sure Opera and your firewall are configured to send the http referer with your URL requests. Also, you'll need to empty the browser cache each time you test to make sure you're getting clean results.

[Vin DSL]

This isn't complicated, guys! It isn't Rocket Science...

Look, here's a hotlink to an IMG on my site, and a hyperlink to it also.



http://www.lenon.com/modules/copperm...002/alizee.jpg

The image should not display and the link should not work either. Is this what you're trying to do?