homepage Welcome to WebmasterWorld Guest from 54.204.67.26
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
htaccess deny referrer ip HELP
How to deny by referrer IP address
schmel




msg:4611369
 5:06 pm on Sep 20, 2013 (gmt 0)

Hello all. Iím new to this forum so I hope nothing I post is in the wrong area.
Iím having some problems with a website I am trying to stop hotlinking from via the referrer. I am able to successfully stop them by the domain for example:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?worxdpress\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://example.com/getlost.jpg [L]

The above works great. The problem I am having is some of the hotlinks from the same referrer are been done via the referrers IP only.

Can anyone advise me or suggest on how to add an IP to the above to block a refers IP as well?

[edited by: phranque at 10:45 pm (utc) on Sep 20, 2013]
[edit reason] exemplified domain [/edit]

 

lucy24




msg:4611444
 9:22 pm on Sep 20, 2013 (gmt 0)

While waiting for a full reply, go upstairs and read the Forums charter about using only "example.com". Or example dot something-else if you need to name more than one domain.

Do you mean the referring IP or the requesting IP? If the referer itself comes through as IP numbers, you can put that in the {HTTP_REFERER} line just like anything else. Also note that you don't always need an opening anchor in referers.

If you're talking about the source of the request, that becomes {REMOTE_ADDR}. But at that point you're probably looking at a simple Deny from... directive instead.

The specific IP you named-- which may get snipped in the process of Forums cleanup-- is listed as "Private customer" routed via wowrack. Sure sounds like someone you'd block out unconditionally in any case; the full range seems to be
216.176.176.0/20

:: wandering off to add range to my own Deny list ::

schmel




msg:4611453
 9:56 pm on Sep 20, 2013 (gmt 0)

Thanks for replying. It shows in the log as a http referer from the IP I mentioned earlier that I now refer to with 000.

What I did was add the following:

RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?000\.000\.000\.000/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://example.com/example.jpg [L]

I tested it by the domain which works great. But I have no way of testing whether the addition of the ip works or not. Everything else does.

phranque




msg:4611463
 10:55 pm on Sep 20, 2013 (gmt 0)

welcome to WebmasterWorld, schmel!


you could test it by navigating to the IP address <http://123.45.67.89/> and finding and clicking the link to your domain.

lucy24




msg:4611506
 12:38 am on Sep 21, 2013 (gmt 0)

you could test it by navigating to the IP address <http://123.45.67.89/> and finding and clicking the link to your domain.

Assuming for the sake of discussion that it's really a link, rather than referer spam :) OK, I guess that's more common with page requests.

Could the form
http:/ /blahblah.123.34.67.89
ever occur as a viable URL? I'd expect numbers alone.

Now, unless you have a very odd site, you could probably get by with a global referer block on

\d+\.\d+\.\d+\.\d+

(substitute [0-9] if server is crotchety) because when would you ever get a legitimate image referer from a numerical IP address?

RewriteRule .*\.(jpe?g|gif|bmp|png)$

The leading .* is unnecessary and may slow things down. Since you're not capturing, all you need is the end-anchored extension.

You might also consider that most anti-hotlink routines are expressed with negative conditions:

Referer IS NOT blank (this is for search engines)
Referer IS NOT my own site (specifying with/without www form to exclude forged referers)
Referer IS NOT {short list of sites that you've personally approved for hotlinking}

schmel




msg:4611507
 12:39 am on Sep 21, 2013 (gmt 0)

Tried that. The referrer from the link that I found comes back from the domain and it works fine. That block works. I can't find the link they are using that comes back as the IP address.

schmel




msg:4611508
 12:45 am on Sep 21, 2013 (gmt 0)

I do have a good script for blocking hotlinking. Only problem I have with it is it blocks all links including those legitimate ones.

The server itself is a fairly strong server running centos. We use it as a VOD site running the wowzamedia server. It' a storm server through liquidweb.

JD_Toims




msg:4611512
 2:16 am on Sep 21, 2013 (gmt 0)

I can't find the link they are using that comes back as the IP address.

It's not likely it would be a link, in-my-opinion. The most likely place I think you would find it is in an <img> request -- [img requests send referrer headers in all modern browsers I've looked into ;)] -- Check your server logs to see if you visited a page with the image request on it and got blocked then let us know.

schmel




msg:4611519
 2:57 am on Sep 21, 2013 (gmt 0)

Log:

---.---.---.--- - - [20/Sep/2013:11:01:17 -0400] "GET /image-x/new_age/new_age%20(3).jpg HTTP/1.1" 302 226 "http://000.000.000.000/forum/viewtopic.php?f=44&t=4185&sid=401aa2c6814039e0b4f38907dfae3ba3" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Looks like a direct request from their phpbbs script. the 000.000.000.000 is the culprit.

lucy24




msg:4611521
 3:28 am on Sep 21, 2013 (gmt 0)

img requests send referrer headers in all modern browsers I've looked into

They'd darn well better, since that's what your ordinary hotlink protection is based on. You'll meet the rare isolated browser that doesn't send a referer, and ugh are they annoying.

looks like a direct request from their phpbbs script.

Yes, from someone posting the direct URL of your image in a forum like this one ;) Well, not exactly like this one, since we don't allow images. But why isn't this already blocked by your existing anti-hotlinking routine? The referer isn't blank, isn't your own site and-- I assume-- isn't on the short list of approved hotlinkers.

Do you really have a literal space in your filename? And equally literal parentheses? I sure hope you've got very good reasons for both.

What's the 302? I mean, duh, it's a temporary redirect, but what did they get redirected to, and why?

If you plug the IP into the link, you get to a php/bb Forums login page. Grr.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved