SetEnvIf does not have any effect

Forum Moderators: phranque

Message Too Old, No Replies

SetEnvIf does not have any effect

htaccess-file works, but doesnt seem to enforce the SetEnvIf rules

SirGawain

3:17 pm on Jan 8, 2005 (gmt 0)

Hello everyone,

I am trying to stop other sites stealing bandwidth from my server. A quick search brought up a method using the SetEnvIfNoCase directive.

I have created a .htaccess-file for testing. This is it:

SetEnvIfNoCase Referer "^http://mysite.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://mysite.com$" locally_linked=1
<FilesMatch "\.(gif¦png¦jpg¦jpeg)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

The .htaccess-file itself is consulted when trying to access an image in the directory. I checked that by removing the "Allow from.." line - the result was that no images were delivered at all.

Still if I leave the file like it is I can still link to the images from everywhere...

Thank you in advance for any help with the issue.

Cheers!

jdMorgan

4:01 pm on Jan 8, 2005 (gmt 0)

SirGawain,

Welcome to WebmasterWorld!

Two issues:

First, be sure to flush your browser cache (Temporary Internet Files) and any intervening caches before testing any change to your access-control code. If your browser has cached a copy of the image, then it won't be fetched from your server. If it's not fetched from your server, then your access-control code can have no effect. This is the most common cause of problems during access control code testing.

Also, the regular-expressions patterns you're using to detect your own host as the referrer won't work if a port number is appended, i.e. http://www.mysite.com:80/image.gif

They're also redundant. You can reduce them to one line by omitting the end-anchor:


SetEnvIfNoCase Referer "^http://mysite.co[b]m"[/b] locally_linked=1

Be aware that you're also blocking blank referrers. Doing so will essentially deny any visitor who is behind a caching proxy at their corporation or at their ISP, such as all AOL users. At the same time, some user-agents intent on exploiting your site will also visit without a referrer. So, you must trade off the number of people who will think your site is broken against the level of exploits youi see.

I suggest that you allow blank referrers unless you have a sufficient "help desk" crew to handle calls from users who find your site images broken:


SetEnvIfNoCase Referer "^$" locally_linked=1
SetEnvIfNoCase Referer "^http://mysite.com" locally_linked=1

Jim

SirGawain

4:31 pm on Jan 8, 2005 (gmt 0)

Hi,

thanks for your reply. I know that I am blocking blank referers, too, at least theoretically.

But in fact I am blocking no one, as everything is working like the .htaccess file did not exist!

I even removed all the SetEnvIfNoCase lines leaving only the <FilesMatch... block in place. If I am understanding the concept, this should block every attempt to access the images at all, since NO environment variables would be set at all. Still I can access the images as usual. I also made sure my browser doesn't use any cached content or something like that.

Like I said before, I also tested that the .htaccess-file is consulted at all by removing the line "Allow from..." which resulted in every image-request being blocked.

Am I missing a point?

Thanks in advance!

jdMorgan

11:42 pm on Jan 8, 2005 (gmt 0)

As stated above:

First, be sure to flush your browser cache (Temporary Internet Files) and any intervening caches before testing any change...

Jim

SirGawain

12:00 am on Jan 9, 2005 (gmt 0)

I made sure I am not getting images from the cache or anything. They just load as normal. Same with flushed cache. Same on other computers.

[edited by: SirGawain at 12:09 am (utc) on Jan. 9, 2005]

SirGawain

12:02 am on Jan 9, 2005 (gmt 0)