| Hotlinking .htaccess code doesn't seem to be working
|
webdevfv
msg:4546721 | 10:29 am on Feb 19, 2013 (gmt 0) |
Hi all
I've had an issue with a spate of 404s coming from a mis-named .jpg image that someone is likely hotlinking but has incorrectly written when coding.
So trying to hunt this down, I've looked on logs and webalizer etc and have come across a couple of websites hotlinking images on our site.
Thing is, I have hotlinking code in my .htaccess file to prevent this, so what is happening?
I've written out the code below - anyone let me know if there is an error there which is allowing hotlinking to happen - many thanks in advance.
SetEnvIfNoCase Referer "^https?://www.mainwebsite.co.uk" good
SetEnvIfNoCase Referer "^https?://mainwebsite.co.uk" good
SetEnvIfNoCase Referer "q=cache:.*mainwebsite.co.uk" good
SetEnvIfNoCase Referer "translate_c.*mainwebsite.co.uk" good
SetEnvIfNoCase Referer "^http://www.anotherofmywebsites.com" good
SetEnvIfNoCase Referer "^http://anotherofmywebsites.com" good
SetEnvIfNoCase Referer "q=cache:.*anotherofmywebsites.com" good
SetEnvIfNoCase Referer "translate_c.*anotherofmywebsites.com" good
SetEnvIfNoCase Referer "^http://www.andanotherofmywebsites.co.uk" good
SetEnvIfNoCase Referer "^http://andanotherofmywebsites.co.uk" good
SetEnvIfNoCase Referer "q=cache:.*andanotherofmywebsites.co.uk" good
SetEnvIfNoCase Referer "translate_c.*andanotherofmywebsites.co.uk" good
SetEnvIf Referer "^$" good
<FilesMatch ".(gif|jpe?g)$">
Order Allow,Deny
Allow from env=good
</FilesMatch>
|
lucy24
msg:4546748 | 1:06 pm on Feb 19, 2013 (gmt 0) |
Holy smokes. I don't think I've ever seen it done with mod_setenvif before. The ordinary version uses mod_rewrite.
For starters, delete all NoCase elements. If the referer is in the wrong case, it's fake and you don't want them. As a bonus it will make the whole thing run faster.
Why does this require four separate lines?
SetEnvIfNoCase Referer "^https?://www.mainwebsite.co.uk" good
SetEnvIfNoCase Referer "^https?://mainwebsite.co.uk" good
SetEnvIfNoCase Referer "q=cache:.*mainwebsite.co.uk" good
SetEnvIfNoCase Referer "translate_c.*mainwebsite.co.uk" good
It all boils down to
SetEnvIf Referer mainwebsite\.co\.uk good
You never want to say .* in the middle of a Regular Expression. Constrain it to the exact text that you're matching, or at least [^.]*
Have you ever tested the code? Does it work in principle? Throw together a few lines of html including a call to one of your images, and open the page locally. The referer will come through as something like "http://localhost/" and you should see the door getting slammed in your own face. (I just double-checked this to make sure it doesn't come through with a null referer. Yup, NO HOTLINKS graphic, loud and clear.)
Are those environmental variables used for anything other than authorizing images? If not, toss them inside the <FilesMatch> envelope so the server doesn't have to plow through them at every request. (The mod_rewrite version of the hotlink blocker works on this principle. If the request isn't for an image, you don't even need to evaluate the conditions.)
|
webdevfv
msg:4546773 | 2:46 pm on Feb 19, 2013 (gmt 0) |
lucy - if only I knew. I'm really not heavily into this code so basically taken it from examples offered up on forums - such as this one.
Thanks for your help.
|
|
|
