homepage Welcome to WebmasterWorld Guest from 54.197.15.196
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Http_referer
control bandwidth with REFERER
WillllF

5+ Year Member



 
Msg#: 5815 posted 7:24 pm on Mar 16, 2006 (gmt 0)

on my site, users can download files with the following link:
http://www.example.co.uk/files/<type>/<id>/download/

this page then checks if they are users on my website, updates the download counter and redirects them to the file.
// update counter
query("UPDATE `files` SET `counter`=`counter`+1 WHERE `id`='$id'");
// redirect to file
header('location:http://www.example.co.uk/uploads/'.$filename);

taking this into account, the HTTP_REFERER for the file would be http://www.example.co.uk/files/<type>/<id>/download/

so people cant use up my bandwidth without me knowing, i want to stop people from downloading anything if the referer isnt this link.
i have tried:
RewriteCond %{HTTP_REFERER} files/[a-z]+/[0-9]+/download/$
RewriteRule uploads/.{1,}\..{3,4} - [L]

this allows all referer's to download

RewriteCond %{HTTP_REFERER} ^.*/[a-z]+/[0-9]+/download/$
RewriteRule uploads/.{1,}\..{3,4} - [L]

this doesnt allow any referer's through

RewriteCond %{HTTP_REFERER} ^http://%{HTTP_HOST}/[a-z]+/[0-9]+/download/$
RewriteRule uploads/.{1,}\..{3,4} - [L]

this also doesnt allow any referer's through

does anyone know what im doing wrong?
thanks for any help in advance

Will

[edited by: jdMorgan at 2:28 am (utc) on Mar. 17, 2006]
[edit reason] examplified. [/edit]

 

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 5815 posted 6:43 pm on Mar 17, 2006 (gmt 0)

The most obvious problem I see is the use of a server variable in the 'fixed comparison string' on the right side of this RewriteCond:

RewriteCond %{HTTP_REFERER} ^http://%{HTTP_HOST}/[a-z]+/[0-9]+/download/$

There is no 'native' support in Apache for comparing two variables, although some operating systems support 'atomic back-referencess' which can be used to emulate a compare. This depends on the regex library bundled with the OS> Specifically, POSIX 1003.2 atomic back-references can be used to do a compare by using the fact that if A+A = A+B, then A=B.

RewriteCond %{HTTP_REFERER} ^(http://[^/]+)
RewriteCond %{HTTP_HOST)<>%1 ^([^<]+)<>\1$ [NC]
RewriteRule ^uploads/[^.]+\..{3,4}$ - [L]

Note that the "<>" string is entirely arbitrary and has no special meaning to regular-expressions; It is used here only to demarcate the boundary between the two concatenated variables. The actual 'compare' is done in the second RewriteCond, using the atomic back-reference "\1" to 'copy' the value of the string matching the parenthesized pattern directly to its left.

Therefore
if %{HTTP_HOST}<>%{HTTP_REFERER}(partial) == %{HTTP_HOST}<>%{HTTP_HOST}<>%,
then %{HTTP_REFERER}(partial) == %{HTTP_HOST}

This may need some tweaking to fit your actual referrers, since the match between hostname and the partial referrer substring saved in %1 must be exact. And as noted, it will only work on servers which support POSIX 1003.2 regular expressions (FreeBSD is one, and there are others.) I know of no way to support variable-to-variable compares in mod_rewrite without this POSIX 1003.2 trick.

Also, be aware that if you block blank referrers, visitors using "Internet security" software, those behind corporate or ISP caching proxies, and those who type in your URL directly will not be able to use your site.

Jim

leadegroot

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 5815 posted 10:45 am on Mar 18, 2006 (gmt 0)

Well, this would block users who aren't sending referer info.
Not uncommmon.

WillllF

5+ Year Member



 
Msg#: 5815 posted 12:13 pm on Mar 18, 2006 (gmt 0)

Thanks for all your help

Also, be aware that if you block blank referrers, visitors using "Internet security" software, those behind corporate or ISP caching proxies, and those who type in your URL directly will not be able to use your site.

I want to block users who type in the URL directly, however, I dont want to be blocking off users with internet security. Do you know of any other answer to my problem?

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 5815 posted 2:03 pm on Mar 18, 2006 (gmt 0)

If you cannot use the POSIX trick I detailed above to fix your code, then you will have to test each referrer against each host name individually.

Jim

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved