homepage Welcome to WebmasterWorld Guest from 54.224.202.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Hotlinking .htaccess code doesn't seem to be working
webdevfv




msg:4546721
 10:29 am on Feb 19, 2013 (gmt 0)

Hi all

I've had an issue with a spate of 404s coming from a mis-named .jpg image that someone is likely hotlinking but has incorrectly written when coding.

So trying to hunt this down, I've looked on logs and webalizer etc and have come across a couple of websites hotlinking images on our site.

Thing is, I have hotlinking code in my .htaccess file to prevent this, so what is happening?

I've written out the code below - anyone let me know if there is an error there which is allowing hotlinking to happen - many thanks in advance.


SetEnvIfNoCase Referer "^https?://www.mainwebsite.co.uk" good
SetEnvIfNoCase Referer "^https?://mainwebsite.co.uk" good
SetEnvIfNoCase Referer "q=cache:.*mainwebsite.co.uk" good
SetEnvIfNoCase Referer "translate_c.*mainwebsite.co.uk" good
SetEnvIfNoCase Referer "^http://www.anotherofmywebsites.com" good
SetEnvIfNoCase Referer "^http://anotherofmywebsites.com" good
SetEnvIfNoCase Referer "q=cache:.*anotherofmywebsites.com" good
SetEnvIfNoCase Referer "translate_c.*anotherofmywebsites.com" good
SetEnvIfNoCase Referer "^http://www.andanotherofmywebsites.co.uk" good
SetEnvIfNoCase Referer "^http://andanotherofmywebsites.co.uk" good
SetEnvIfNoCase Referer "q=cache:.*andanotherofmywebsites.co.uk" good
SetEnvIfNoCase Referer "translate_c.*andanotherofmywebsites.co.uk" good

SetEnvIf Referer "^$" good

<FilesMatch ".(gif|jpe?g)$">
Order Allow,Deny
Allow from env=good
</FilesMatch>

 

lucy24




msg:4546748
 1:06 pm on Feb 19, 2013 (gmt 0)

Holy smokes. I don't think I've ever seen it done with mod_setenvif before. The ordinary version uses mod_rewrite.

For starters, delete all NoCase elements. If the referer is in the wrong case, it's fake and you don't want them. As a bonus it will make the whole thing run faster.

Why does this require four separate lines?

SetEnvIfNoCase Referer "^https?://www.mainwebsite.co.uk" good
SetEnvIfNoCase Referer "^https?://mainwebsite.co.uk" good
SetEnvIfNoCase Referer "q=cache:.*mainwebsite.co.uk" good
SetEnvIfNoCase Referer "translate_c.*mainwebsite.co.uk" good

It all boils down to

SetEnvIf Referer mainwebsite\.co\.uk good

You never want to say .* in the middle of a Regular Expression. Constrain it to the exact text that you're matching, or at least [^.]*

Have you ever tested the code? Does it work in principle? Throw together a few lines of html including a call to one of your images, and open the page locally. The referer will come through as something like "http://localhost/" and you should see the door getting slammed in your own face. (I just double-checked this to make sure it doesn't come through with a null referer. Yup, NO HOTLINKS graphic, loud and clear.)

Are those environmental variables used for anything other than authorizing images? If not, toss them inside the <FilesMatch> envelope so the server doesn't have to plow through them at every request. (The mod_rewrite version of the hotlink blocker works on this principle. If the request isn't for an image, you don't even need to evaluate the conditions.)

webdevfv




msg:4546773
 2:46 pm on Feb 19, 2013 (gmt 0)

lucy - if only I knew. I'm really not heavily into this code so basically taken it from examples offered up on forums - such as this one.

Thanks for your help.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved