squallions,

Welcome to WebmasterWorld [webmasterworld.com]!

The problem with music files is that most players, notably Windows Media Player, do not provide a referrer. Therefore, you need to block a blank referrer, using ^$ as you show above. But the problem with that is that many legitimate users, such as those behind corporate or ISP firewalls or caching proxies, will also be blocked because the firewall or cache blocks the referrer. It will also be impossible to access the files using a bookmark or javascript.

There is no good solution using referrer-based access control. You can block by IP address, or institute password protection on those files you wish to protect. HTTP_REFERERs are just not reliable enough.

Also, you have a lot of extra characters in your code, and so it can be simplified:

RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^(www\.)?mysite.com [NC]
RewriteRule \.(wma妃p3夸pe?g夙if如ng在mp)$ - [NC,F]

Note that if you use the [NC] flag, you do not need to specify upper-, lower-, and mixed-case patterns. [NC] makes the pattern match case-insensitive.

If you want to block by IP address use:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^192\.168\.0\.1$ [OR]
RewriteCond %{REMOTE_ADDR} ^127\.0\.0\.21$ [OR]
RewriteCond %{REMOTE_ADDR} ^192\.168\.0\.10$
RewriteRule \.(wma妃p3夸pe?g夙if如ng在mp)$ - [NC,F]

Apache mod_rewrite documentation [httpd.apache.org]
Apache URL Rewriting Guide [httpd.apache.org]
Regular Expressions Tutorial [etext.lib.virginia.edu]

Jim

Thank.

Using REMOVE_ADDR will only block each individual to the file, not the leecher's website IP address right?

I look at the link [httpd.apache.org] you gave me and find instead of use REMOVE_ADDR, can I use HTTP_HOST to block that leecher site?

or how do I block a certain site from access music files a different way than addressed above?

You can not block a site, since there's no conenction between two websites, only the hyperlinks. This means that if someone placed a link on his/her site which is pointing to a resource on your site, there's no way to block *that* remote site, but you can block request arriving at your server where the refering page is indicated, and it is from the site which you want to block. (if you click on a link, the browser should send a header called referer to the webserver containing the URL from where you arrived to that resource), but that's not really accurate.

About your questions;
The HTTP_HOST variable contains the name of the server where the requested resource is requested from, usually this is the same as the domain name of your webserver.
The REMOTE_ADDR and REMOTE_HOST variables are acquired from the network connection from the user agent (browser) upon the connection, so it is containing the ip address and the hostname of your visitor.

Yeah, I understand that. So there's no script to prevent hotlink music file when they put the link in <embed> html script?

Not without cookies, session ids, or user authentication... :(

Jim

k Thank. Well. They eat about 2GB per day of my musics but my bandwidth allowance was 150 GB/month so I guess that's ok then.

Thank all.
sql

what you could do is have your file names change every day or every so often dynamicly. Have some script that goes through and changes the names with the date and change all your links to them. That would stop them.

Unfortunately making the files have a date or timestamp varied name would not do much in the long run. After as little as a few days the pattern would be determined and someone could script a way of determining the names and still linking to them.

I would have to vote for a simple authentication scheme that would at least let you control who has access to the files. Even though you have plenty of bandwidth it is still possible for some malicious person to bounce several hundred or thousand requests for the samme file(s) through open proxies and ravage that limit in a very short time.

Then again, I'm paranoid. :)